2 * Routines for smb2 packet dissection
5 * For documentation of this protocol, see:
7 * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/
8 * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/
9 * https://gitlab.com/wireshark/wireshark/-/wikis/SMB2
11 * If you edit this file, keep the wiki updated as well.
13 * Wireshark - Network traffic analyzer
14 * By Gerald Combs <gerald@wireshark.org>
15 * Copyright 1998 Gerald Combs
17 * SPDX-License-Identifier: GPL-2.0-or-later
23 #include <epan/packet.h>
24 #include <epan/exceptions.h>
25 #include <epan/prefs.h>
26 #include <epan/expert.h>
28 #include <epan/srt_table.h>
29 #include <epan/aftypes.h>
30 #include <epan/to_str.h>
31 #include <epan/strutil.h>
32 #include <epan/asn1.h>
33 #include <epan/reassemble.h>
36 #include <wsutil/array.h>
38 #include "packet-smb2.h"
39 #include "packet-ntlmssp.h"
40 #include "packet-kerberos.h"
41 #include "packet-windows-common.h"
42 #include "packet-dcerpc-nt.h"
44 #include "read_keytab_file.h"
46 #include <wsutil/wsgcrypt.h>
47 #include <wsutil/ws_roundup.h>
48 #include <wsutil/crc32.h>
54 /* Defined in winnt.h */
55 #define OWNER_SECURITY_INFORMATION 0x00000001
56 #define GROUP_SECURITY_INFORMATION 0x00000002
57 #define DACL_SECURITY_INFORMATION 0x00000004
58 #define SACL_SECURITY_INFORMATION 0x00000008
59 #define LABEL_SECURITY_INFORMATION 0x00000010
60 #define ATTRIBUTE_SECURITY_INFORMATION 0x00000020
61 #define SCOPE_SECURITY_INFORMATION 0x00000040
62 #define BACKUP_SECURITY_INFORMATION 0x00010000
67 #define DEBUG(...) g_ ## warning(__VA_ARGS__)
68 #define HEXDUMP(p, sz) do_hexdump((const uint8_t *)(p), sz)
70 do_hexdump (const uint8_t *data
, size_t len
)
74 for (n
= 0; n
< len
; n
+= 16) {
75 g_printerr ("%04x: ", n
);
77 for (m
= n
; m
< n
+ 16; m
++) {
78 if (m
> n
&& (m
%4) == 0)
81 g_printerr ("%02x ", data
[m
]);
88 for (m
= n
; m
< len
&& m
< n
+ 16; m
++)
89 g_printerr ("%c", g_ascii_isprint (data
[m
]) ? data
[m
] : '.');
99 #define NT_STATUS_PENDING 0x00000103
100 #define NT_STATUS_BUFFER_TOO_SMALL 0xC0000023
101 #define NT_STATUS_STOPPED_ON_SYMLINK 0x8000002D
102 #define NT_STATUS_BAD_NETWORK_NAME 0xC00000CC
104 void proto_register_smb2(void);
105 void proto_reg_handoff_smb2(void);
107 #define SMB2_NORM_HEADER 0xFE
108 #define SMB2_ENCR_HEADER 0xFD
109 #define SMB2_COMP_HEADER 0xFC
111 static wmem_map_t
*smb2_sessions
;
113 static const char smb_header_label
[] = "SMB2 Header";
114 static const char smb_transform_header_label
[] = "SMB2 Transform Header";
115 static const char smb_comp_transform_header_label
[] = "SMB2 Compression Transform Header";
116 static const char smb_bad_header_label
[] = "Bad SMB2 Header";
118 static int proto_smb2
;
119 static int hf_smb2_cmd
;
120 static int hf_smb2_nt_status
;
121 static int hf_smb2_response_to
;
122 static int hf_smb2_response_in
;
123 static int hf_smb2_time
;
124 static int hf_smb2_preauth_hash
;
125 static int hf_smb2_header_len
;
126 static int hf_smb2_msg_id
;
127 static int hf_smb2_header_reserved
;
128 static int hf_smb2_tid
;
129 static int hf_smb2_aid
;
130 static int hf_smb2_sesid
;
131 static int hf_smb2_previous_sesid
;
132 static int hf_smb2_flags_response
;
133 static int hf_smb2_flags_async_cmd
;
134 static int hf_smb2_flags_dfs_op
;
135 static int hf_smb2_flags_chained
;
136 static int hf_smb2_flags_signature
;
137 static int hf_smb2_flags_replay_operation
;
138 static int hf_smb2_flags_priority_mask
;
139 static int hf_smb2_chain_offset
;
140 static int hf_smb2_security_blob
;
141 static int hf_smb2_ioctl_in_data
;
142 static int hf_smb2_ioctl_out_data
;
143 static int hf_smb2_unknown
;
144 static int hf_smb2_root_directory_mbz
;
145 static int hf_smb2_twrp_timestamp
;
146 static int hf_smb2_mxac_timestamp
;
147 static int hf_smb2_mxac_status
;
148 static int hf_smb2_qfid_fid
;
149 static int hf_smb2_create_timestamp
;
150 static int hf_smb2_oplock
;
151 static int hf_smb2_close_flags
;
152 static int hf_smb2_notify_flags
;
153 static int hf_smb2_last_access_timestamp
;
154 static int hf_smb2_last_write_timestamp
;
155 static int hf_smb2_last_change_timestamp
;
156 static int hf_smb2_current_time
;
157 static int hf_smb2_boot_time
;
158 static int hf_smb2_filename
;
159 static int hf_smb2_filename_len
;
160 static int hf_smb2_replace_if
;
161 static int hf_smb2_nlinks
;
162 static int hf_smb2_delete_pending
;
163 static int hf_smb2_is_directory
;
164 static int hf_smb2_file_id
;
165 static int hf_smb2_allocation_size
;
166 static int hf_smb2_end_of_file
;
167 static int hf_smb2_tree
;
168 static int hf_smb2_find_pattern
;
169 static int hf_smb2_find_info_level
;
170 static int hf_smb2_find_info_blob
;
171 static int hf_smb2_client_guid
;
172 static int hf_smb2_server_guid
;
173 static int hf_smb2_object_id
;
174 static int hf_smb2_birth_volume_id
;
175 static int hf_smb2_birth_object_id
;
176 static int hf_smb2_domain_id
;
177 static int hf_smb2_class
;
178 static int hf_smb2_infolevel
;
179 static int hf_smb2_infolevel_file_info
;
180 static int hf_smb2_infolevel_fs_info
;
181 static int hf_smb2_infolevel_sec_info
;
182 static int hf_smb2_max_response_size
;
183 static int hf_smb2_max_ioctl_in_size
;
184 static int hf_smb2_max_ioctl_out_size
;
185 static int hf_smb2_flags
;
186 static int hf_smb2_required_buffer_size
;
187 static int hf_smb2_getinfo_input_size
;
188 static int hf_smb2_getinfo_input_offset
;
189 static int hf_smb2_getsetinfo_additional
;
190 static int hf_smb2_getsetinfo_additionals
;
191 static int hf_smb2_getsetinfo_additional_owner
;
192 static int hf_smb2_getsetinfo_additional_group
;
193 static int hf_smb2_getsetinfo_additional_dacl
;
194 static int hf_smb2_getsetinfo_additional_sacl
;
195 static int hf_smb2_getsetinfo_additional_label
;
196 static int hf_smb2_getsetinfo_additional_attribute
;
197 static int hf_smb2_getsetinfo_additional_scope
;
198 static int hf_smb2_getsetinfo_additional_backup
;
199 static int hf_smb2_getinfo_flags
;
200 static int hf_smb2_setinfo_size
;
201 static int hf_smb2_setinfo_offset
;
202 static int hf_smb2_setinfo_reserved
;
203 static int hf_smb2_file_basic_info
;
204 static int hf_smb2_file_standard_info
;
205 static int hf_smb2_file_internal_info
;
206 static int hf_smb2_file_ea_info
;
207 static int hf_smb2_file_access_info
;
208 static int hf_smb2_file_rename_info
;
209 static int hf_smb2_file_link_info
;
210 static int hf_smb2_file_disposition_info
;
211 static int hf_smb2_file_position_info
;
212 static int hf_smb2_file_full_ea_info
;
213 static int hf_smb2_file_mode_info
;
214 static int hf_smb2_file_alignment_info
;
215 static int hf_smb2_file_all_info
;
216 static int hf_smb2_file_allocation_info
;
217 static int hf_smb2_file_endoffile_info
;
218 static int hf_smb2_file_alternate_name_info
;
219 static int hf_smb2_file_stream_info
;
220 static int hf_smb2_file_pipe_info
;
221 static int hf_smb2_file_compression_info
;
222 static int hf_smb2_file_network_open_info
;
223 static int hf_smb2_file_attribute_tag_info
;
224 static int hf_smb2_file_normalized_name_info
;
225 static int hf_smb2_fs_info_01
;
226 static int hf_smb2_fs_info_03
;
227 static int hf_smb2_fs_info_04
;
228 static int hf_smb2_fs_info_05
;
229 static int hf_smb2_fs_info_06
;
230 static int hf_smb2_fs_info_07
;
231 static int hf_smb2_fs_objectid_info
;
232 static int hf_smb2_fs_posix_info
;
233 static int hf_smb2_fs_posix_optimal_transfer_size
;
234 static int hf_smb2_fs_posix_block_size
;
235 static int hf_smb2_fs_posix_total_blocks
;
236 static int hf_smb2_fs_posix_blocks_available
;
237 static int hf_smb2_fs_posix_user_blocks_available
;
238 static int hf_smb2_fs_posix_total_file_nodes
;
239 static int hf_smb2_fs_posix_free_file_nodes
;
240 static int hf_smb2_fs_posix_fs_identifier
;
241 static int hf_smb2_sec_info_00
;
242 static int hf_smb2_quota_info
;
243 static int hf_smb2_query_quota_info
;
244 static int hf_smb2_qq_single
;
245 static int hf_smb2_qq_restart
;
246 static int hf_smb2_qq_sidlist_len
;
247 static int hf_smb2_qq_start_sid_len
;
248 static int hf_smb2_qq_start_sid_offset
;
249 static int hf_smb2_fid
;
250 static int hf_smb2_write_length
;
251 static int hf_smb2_write_data
;
252 static int hf_smb2_write_flags
;
253 static int hf_smb2_write_flags_write_through
;
254 static int hf_smb2_write_flags_write_unbuffered
;
255 static int hf_smb2_write_count
;
256 static int hf_smb2_write_remaining
;
257 static int hf_smb2_read_blob
;
258 static int hf_smb2_read_length
;
259 static int hf_smb2_read_remaining
;
260 static int hf_smb2_read_padding
;
261 static int hf_smb2_read_flags
;
262 static int hf_smb2_read_flags_unbuffered
;
263 static int hf_smb2_read_flags_compressed
;
264 static int hf_smb2_file_offset
;
265 static int hf_smb2_qfr_length
;
266 static int hf_smb2_qfr_usage
;
267 static int hf_smb2_qfr_flags
;
268 static int hf_smb2_qfr_total_region_entry_count
;
269 static int hf_smb2_qfr_region_entry_count
;
270 static int hf_smb2_read_data
;
271 static int hf_smb2_disposition_delete_on_close
;
272 static int hf_smb2_create_disposition
;
273 static int hf_smb2_create_chain_offset
;
274 static int hf_smb2_create_chain_data
;
275 static int hf_smb2_data_offset
;
276 static int hf_smb2_extrainfo
;
277 static int hf_smb2_create_action
;
278 static int hf_smb2_create_rep_flags
;
279 static int hf_smb2_create_rep_flags_reparse_point
;
280 static int hf_smb2_next_offset
;
281 static int hf_smb2_negotiate_context_type
;
282 static int hf_smb2_negotiate_context_data_length
;
283 static int hf_smb2_negotiate_context_offset
;
284 static int hf_smb2_negotiate_context_reserved
;
285 static int hf_smb2_negotiate_context_reserved2
;
286 static int hf_smb2_negotiate_context_count
;
287 static int hf_smb2_hash_alg_count
;
288 static int hf_smb2_hash_algorithm
;
289 static int hf_smb2_salt_length
;
290 static int hf_smb2_salt
;
291 static int hf_smb2_cipher_count
;
292 static int hf_smb2_cipher_id
;
293 static int hf_smb2_signing_alg_count
;
294 static int hf_smb2_signing_alg_id
;
295 static int hf_smb2_comp_alg_count
;
296 static int hf_smb2_comp_alg_id
;
297 static int hf_smb2_comp_alg_flags
;
298 static int hf_smb2_comp_alg_flags_chained
;
299 static int hf_smb2_comp_alg_flags_reserved
;
300 static int hf_smb2_netname_neg_id
;
301 static int hf_smb2_transport_ctx_flags
;
302 static int hf_smb2_rdma_transform_count
;
303 static int hf_smb2_rdma_transform_reserved1
;
304 static int hf_smb2_rdma_transform_reserved2
;
305 static int hf_smb2_rdma_transform_id
;
306 static int hf_smb2_posix_reserved
;
307 static int hf_smb2_dev
;
308 static int hf_smb2_inode
;
309 static int hf_smb2_ea_size
;
310 static int hf_smb2_ea_flags
;
311 static int hf_smb2_ea_name_len
;
312 static int hf_smb2_ea_data_len
;
313 static int hf_smb2_ea_name
;
314 static int hf_smb2_ea_data
;
315 static int hf_smb2_position_information
;
316 static int hf_smb2_mode_information
;
317 static int hf_smb2_mode_file_write_through
;
318 static int hf_smb2_mode_file_sequential_only
;
319 static int hf_smb2_mode_file_no_intermediate_buffering
;
320 static int hf_smb2_mode_file_synchronous_io_alert
;
321 static int hf_smb2_mode_file_synchronous_io_nonalert
;
322 static int hf_smb2_mode_file_delete_on_close
;
323 static int hf_smb2_alignment_information
;
324 static int hf_smb2_buffer_code
;
325 static int hf_smb2_buffer_code_len
;
326 static int hf_smb2_buffer_code_flags_dyn
;
327 static int hf_smb2_olb_offset
;
328 static int hf_smb2_olb_length
;
329 static int hf_smb2_tag
;
330 static int hf_smb2_impersonation_level
;
331 static int hf_smb2_ioctl_function
;
332 static int hf_smb2_ioctl_function_device
;
333 static int hf_smb2_ioctl_function_access
;
334 static int hf_smb2_ioctl_function_function
;
335 static int hf_smb2_fsctl_pipe_wait_timeout
;
336 static int hf_smb2_fsctl_pipe_wait_name
;
338 static int hf_smb2_fsctl_odx_token_type
;
339 static int hf_smb2_fsctl_odx_token_idlen
;
340 static int hf_smb2_fsctl_odx_token_idraw
;
341 static int hf_smb2_fsctl_odx_token_ttl
;
342 static int hf_smb2_fsctl_odx_size
;
343 static int hf_smb2_fsctl_odx_flags
;
344 static int hf_smb2_fsctl_odx_file_offset
;
345 static int hf_smb2_fsctl_odx_copy_length
;
346 static int hf_smb2_fsctl_odx_xfer_length
;
347 static int hf_smb2_fsctl_odx_token_offset
;
349 static int hf_smb2_fsctl_infoex_enable_integrity
;
350 static int hf_smb2_fsctl_infoex_keep_integrity_state
;
351 static int hf_smb2_fsctl_infoex_reserved
;
352 static int hf_smb2_fsctl_infoex_reserved2
;
353 static int hf_smb2_fsctl_infoex_flags
;
354 static int hf_smb2_fsctl_infoex_version
;
356 static int hf_smb2_fsctl_sparse_flag
;
357 static int hf_smb2_fsctl_range_offset
;
358 static int hf_smb2_fsctl_range_length
;
359 static int hf_smb2_ioctl_function_method
;
360 static int hf_smb2_ioctl_resiliency_timeout
;
361 static int hf_smb2_ioctl_resiliency_reserved
;
362 static int hf_smb2_ioctl_shared_virtual_disk_support
;
363 static int hf_smb2_ioctl_shared_virtual_disk_handle_state
;
364 static int hf_smb2_ioctl_sqos_protocol_version
;
365 static int hf_smb2_ioctl_sqos_reserved
;
366 static int hf_smb2_ioctl_sqos_options
;
367 static int hf_smb2_ioctl_sqos_op_set_logical_flow_id
;
368 static int hf_smb2_ioctl_sqos_op_set_policy
;
369 static int hf_smb2_ioctl_sqos_op_probe_policy
;
370 static int hf_smb2_ioctl_sqos_op_get_status
;
371 static int hf_smb2_ioctl_sqos_op_update_counters
;
372 static int hf_smb2_ioctl_sqos_logical_flow_id
;
373 static int hf_smb2_ioctl_sqos_policy_id
;
374 static int hf_smb2_ioctl_sqos_initiator_id
;
375 static int hf_smb2_ioctl_sqos_limit
;
376 static int hf_smb2_ioctl_sqos_reservation
;
377 static int hf_smb2_ioctl_sqos_initiator_name
;
378 static int hf_smb2_ioctl_sqos_initiator_node_name
;
379 static int hf_smb2_ioctl_sqos_io_count_increment
;
380 static int hf_smb2_ioctl_sqos_normalized_io_count_increment
;
381 static int hf_smb2_ioctl_sqos_latency_increment
;
382 static int hf_smb2_ioctl_sqos_lower_latency_increment
;
383 static int hf_smb2_ioctl_sqos_bandwidth_limit
;
384 static int hf_smb2_ioctl_sqos_kilobyte_count_increment
;
385 static int hf_smb2_ioctl_sqos_time_to_live
;
386 static int hf_smb2_ioctl_sqos_status
;
387 static int hf_smb2_ioctl_sqos_maximum_io_rate
;
388 static int hf_smb2_ioctl_sqos_minimum_io_rate
;
389 static int hf_smb2_ioctl_sqos_base_io_size
;
390 static int hf_smb2_ioctl_sqos_reserved2
;
391 static int hf_smb2_ioctl_sqos_maximum_bandwidth
;
392 static int hf_windows_sockaddr_family
;
393 static int hf_windows_sockaddr_port
;
394 static int hf_windows_sockaddr_in_addr
;
395 static int hf_windows_sockaddr_in6_flowinfo
;
396 static int hf_windows_sockaddr_in6_addr
;
397 static int hf_windows_sockaddr_in6_scope_id
;
398 static int hf_smb2_ioctl_network_interface_next_offset
;
399 static int hf_smb2_ioctl_network_interface_index
;
400 static int hf_smb2_ioctl_network_interface_reserved
;
401 static int hf_smb2_ioctl_network_interface_capabilities
;
402 static int hf_smb2_ioctl_network_interface_capability_rss
;
403 static int hf_smb2_ioctl_network_interface_capability_rdma
;
404 static int hf_smb2_ioctl_network_interface_link_speed
;
405 static int hf_smb2_ioctl_enumerate_snapshots_num_snapshots
;
406 static int hf_smb2_ioctl_enumerate_snapshots_num_snapshots_returned
;
407 static int hf_smb2_ioctl_enumerate_snapshots_snapshot_array_size
;
408 static int hf_smb2_ioctl_enumerate_snapshots_snapshot
;
409 static int hf_smb2_ioctl_get_ntfs_volume_data_volume_serial
;
410 static int hf_smb2_ioctl_get_ntfs_volume_data_num_sectors
;
411 static int hf_smb2_ioctl_get_ntfs_volume_data_total_clusters
;
412 static int hf_smb2_ioctl_get_ntfs_volume_data_free_clusters
;
413 static int hf_smb2_ioctl_get_ntfs_volume_data_total_reserved
;
414 static int hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_sector
;
415 static int hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_cluster
;
416 static int hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_file_record_segment
;
417 static int hf_smb2_ioctl_get_ntfs_volume_data_clusters_per_file_record_segment
;
418 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_valid_data_length
;
419 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_start_lcn
;
420 static int hf_smb2_ioctl_get_ntfs_volume_data_mft2_start_lcn
;
421 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_start
;
422 static int hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_end
;
423 static int hf_smb2_compression_format
;
424 static int hf_smb2_checksum_algorithm
;
425 static int hf_smb2_integrity_reserved
;
426 static int hf_smb2_integrity_flags
;
427 static int hf_smb2_integrity_flags_enforcement_off
;
428 static int hf_smb2_FILE_OBJECTID_BUFFER
;
429 static int hf_smb2_lease_key
;
430 static int hf_smb2_lease_state
;
431 static int hf_smb2_lease_state_read_caching
;
432 static int hf_smb2_lease_state_handle_caching
;
433 static int hf_smb2_lease_state_write_caching
;
434 static int hf_smb2_lease_flags
;
435 static int hf_smb2_lease_flags_break_ack_required
;
436 static int hf_smb2_lease_flags_parent_lease_key_set
;
437 static int hf_smb2_lease_flags_break_in_progress
;
438 static int hf_smb2_lease_duration
;
439 static int hf_smb2_parent_lease_key
;
440 static int hf_smb2_lease_epoch
;
441 static int hf_smb2_lease_reserved
;
442 static int hf_smb2_lease_break_reason
;
443 static int hf_smb2_lease_access_mask_hint
;
444 static int hf_smb2_lease_share_mask_hint
;
445 static int hf_smb2_acct_name
;
446 static int hf_smb2_domain_name
;
447 static int hf_smb2_host_name
;
448 static int hf_smb2_auth_frame
;
449 static int hf_smb2_tcon_frame
;
450 static int hf_smb2_tdcon_frame
;
451 static int hf_smb2_share_type
;
452 static int hf_smb2_signature
;
453 static int hf_smb2_credit_charge
;
454 static int hf_smb2_credits_requested
;
455 static int hf_smb2_credits_granted
;
456 static int hf_smb2_channel_sequence
;
457 static int hf_smb2_dialect_count
;
458 static int hf_smb2_security_mode
;
459 static int hf_smb2_secmode_flags_sign_required
;
460 static int hf_smb2_secmode_flags_sign_enabled
;
461 static int hf_smb2_ses_req_flags
;
462 static int hf_smb2_ses_req_flags_session_binding
;
463 static int hf_smb2_capabilities
;
464 static int hf_smb2_cap_dfs
;
465 static int hf_smb2_cap_leasing
;
466 static int hf_smb2_cap_large_mtu
;
467 static int hf_smb2_cap_multi_channel
;
468 static int hf_smb2_cap_persistent_handles
;
469 static int hf_smb2_cap_directory_leasing
;
470 static int hf_smb2_cap_encryption
;
471 static int hf_smb2_cap_notifications
;
472 static int hf_smb2_dialect
;
473 static int hf_smb2_max_trans_size
;
474 static int hf_smb2_max_read_size
;
475 static int hf_smb2_max_write_size
;
476 static int hf_smb2_channel
;
477 static int hf_smb2_rdma_v1_offset
;
478 static int hf_smb2_rdma_v1_token
;
479 static int hf_smb2_rdma_v1_length
;
480 static int hf_smb2_session_flags
;
481 static int hf_smb2_ses_flags_guest
;
482 static int hf_smb2_ses_flags_null
;
483 static int hf_smb2_ses_flags_encrypt
;
484 static int hf_smb2_share_flags
;
485 static int hf_smb2_share_flags_dfs
;
486 static int hf_smb2_share_flags_dfs_root
;
487 static int hf_smb2_share_flags_restrict_exclusive_opens
;
488 static int hf_smb2_share_flags_force_shared_delete
;
489 static int hf_smb2_share_flags_allow_namespace_caching
;
490 static int hf_smb2_share_flags_access_based_dir_enum
;
491 static int hf_smb2_share_flags_force_levelii_oplock
;
492 static int hf_smb2_share_flags_enable_hash_v1
;
493 static int hf_smb2_share_flags_enable_hash_v2
;
494 static int hf_smb2_share_flags_encrypt_data
;
495 static int hf_smb2_share_flags_identity_remoting
;
496 static int hf_smb2_share_flags_compress_data
;
497 static int hf_smb2_share_flags_isolated_transport
;
498 static int hf_smb2_share_caching
;
499 static int hf_smb2_share_caps
;
500 static int hf_smb2_share_caps_dfs
;
501 static int hf_smb2_share_caps_continuous_availability
;
502 static int hf_smb2_share_caps_scaleout
;
503 static int hf_smb2_share_caps_cluster
;
504 static int hf_smb2_share_caps_asymmetric
;
505 static int hf_smb2_share_caps_redirect_to_owner
;
506 static int hf_smb2_create_flags
;
507 static int hf_smb2_lock_count
;
508 static int hf_smb2_lock_sequence_number
;
509 static int hf_smb2_lock_sequence_index
;
510 static int hf_smb2_min_count
;
511 static int hf_smb2_remaining_bytes
;
512 static int hf_smb2_channel_info_offset
;
513 static int hf_smb2_channel_info_length
;
514 static int hf_smb2_channel_info_blob
;
515 static int hf_smb2_ioctl_flags
;
516 static int hf_smb2_ioctl_is_fsctl
;
517 static int hf_smb2_close_pq_attrib
;
518 static int hf_smb2_notify_watch_tree
;
519 static int hf_smb2_output_buffer_len
;
520 static int hf_smb2_notify_out_data
;
521 static int hf_smb2_notify_info
;
522 static int hf_smb2_notify_next_offset
;
523 static int hf_smb2_notify_action
;
524 static int hf_smb2_find_flags
;
525 static int hf_smb2_find_flags_restart_scans
;
526 static int hf_smb2_find_flags_single_entry
;
527 static int hf_smb2_find_flags_index_specified
;
528 static int hf_smb2_find_flags_reopen
;
529 static int hf_smb2_file_index
;
530 static int hf_smb2_file_directory_info
;
531 static int hf_smb2_both_directory_info
;
532 static int hf_smb2_posix_info
;
533 static int hf_smb2_short_name_len
;
534 static int hf_smb2_short_name
;
535 static int hf_smb2_id_both_directory_info
;
536 static int hf_smb2_full_directory_info
;
537 static int hf_smb2_lock_info
;
538 static int hf_smb2_lock_length
;
539 static int hf_smb2_lock_flags
;
540 static int hf_smb2_lock_flags_shared
;
541 static int hf_smb2_lock_flags_exclusive
;
542 static int hf_smb2_lock_flags_unlock
;
543 static int hf_smb2_lock_flags_fail_immediately
;
544 static int hf_smb2_dhnq_buffer_reserved
;
545 static int hf_smb2_dh2x_buffer_timeout
;
546 static int hf_smb2_dh2x_buffer_flags
;
547 static int hf_smb2_dh2x_buffer_flags_persistent_handle
;
548 static int hf_smb2_dh2x_buffer_reserved
;
549 static int hf_smb2_dh2x_buffer_create_guid
;
550 static int hf_smb2_APP_INSTANCE_buffer_struct_size
;
551 static int hf_smb2_APP_INSTANCE_buffer_reserved
;
552 static int hf_smb2_APP_INSTANCE_buffer_app_guid
;
553 static int hf_smb2_svhdx_open_device_context_version
;
554 static int hf_smb2_svhdx_open_device_context_has_initiator_id
;
555 static int hf_smb2_svhdx_open_device_context_reserved
;
556 static int hf_smb2_svhdx_open_device_context_initiator_id
;
557 static int hf_smb2_svhdx_open_device_context_flags
;
558 static int hf_smb2_svhdx_open_device_context_originator_flags
;
559 static int hf_smb2_svhdx_open_device_context_open_request_id
;
560 static int hf_smb2_svhdx_open_device_context_initiator_host_name_len
;
561 static int hf_smb2_svhdx_open_device_context_initiator_host_name
;
562 static int hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized
;
563 static int hf_smb2_svhdx_open_device_context_server_service_version
;
564 static int hf_smb2_svhdx_open_device_context_virtual_sector_size
;
565 static int hf_smb2_svhdx_open_device_context_physical_sector_size
;
566 static int hf_smb2_svhdx_open_device_context_virtual_size
;
567 static int hf_smb2_app_instance_version_struct_size
;
568 static int hf_smb2_app_instance_version_reserved
;
569 static int hf_smb2_app_instance_version_padding
;
570 static int hf_smb2_app_instance_version_high
;
571 static int hf_smb2_app_instance_version_low
;
572 static int hf_smb2_posix_perms
;
573 static int hf_smb2_aapl_command_code
;
574 static int hf_smb2_aapl_reserved
;
575 static int hf_smb2_aapl_server_query_bitmask
;
576 static int hf_smb2_aapl_server_query_bitmask_server_caps
;
577 static int hf_smb2_aapl_server_query_bitmask_volume_caps
;
578 static int hf_smb2_aapl_server_query_bitmask_model_info
;
579 static int hf_smb2_aapl_server_query_caps
;
580 static int hf_smb2_aapl_server_query_caps_supports_read_dir_attr
;
581 static int hf_smb2_aapl_server_query_caps_supports_osx_copyfile
;
582 static int hf_smb2_aapl_server_query_caps_unix_based
;
583 static int hf_smb2_aapl_server_query_caps_supports_nfs_ace
;
584 static int hf_smb2_aapl_server_query_volume_caps
;
585 static int hf_smb2_aapl_server_query_volume_caps_support_resolve_id
;
586 static int hf_smb2_aapl_server_query_volume_caps_case_sensitive
;
587 static int hf_smb2_aapl_server_query_volume_caps_supports_full_sync
;
588 static int hf_smb2_aapl_server_query_model_string
;
589 static int hf_smb2_aapl_server_query_server_path
;
590 static int hf_smb2_error_context_count
;
591 static int hf_smb2_error_reserved
;
592 static int hf_smb2_error_byte_count
;
593 static int hf_smb2_error_data
;
594 static int hf_smb2_error_context
;
595 static int hf_smb2_error_context_length
;
596 static int hf_smb2_error_context_id
;
597 static int hf_smb2_error_min_buf_length
;
598 static int hf_smb2_error_redir_context
;
599 static int hf_smb2_error_redir_struct_size
;
600 static int hf_smb2_error_redir_notif_type
;
601 static int hf_smb2_error_redir_flags
;
602 static int hf_smb2_error_redir_target_type
;
603 static int hf_smb2_error_redir_ip_count
;
604 static int hf_smb2_error_redir_ip_list
;
605 static int hf_smb2_error_redir_res_name
;
606 static int hf_smb2_reserved
;
607 static int hf_smb2_reserved_random
;
608 static int hf_smb2_transform_signature
;
609 static int hf_smb2_transform_nonce
;
610 static int hf_smb2_transform_msg_size
;
611 static int hf_smb2_transform_reserved
;
612 static int hf_smb2_transform_flags
;
613 static int hf_smb2_transform_flags_encrypted
;
614 static int hf_smb2_transform_encrypted_data
;
615 static int hf_smb2_protocol_id
;
616 static int hf_smb2_comp_transform_orig_size
;
617 static int hf_smb2_comp_transform_comp_alg
;
618 static int hf_smb2_comp_transform_flags
;
619 static int hf_smb2_comp_transform_offset
;
620 static int hf_smb2_comp_transform_length
;
621 static int hf_smb2_comp_transform_data
;
622 static int hf_smb2_comp_transform_orig_payload_size
;
623 static int hf_smb2_comp_pattern_v1_pattern
;
624 static int hf_smb2_comp_pattern_v1_reserved1
;
625 static int hf_smb2_comp_pattern_v1_reserved2
;
626 static int hf_smb2_comp_pattern_v1_repetitions
;
627 static int hf_smb2_truncated
;
628 static int hf_smb2_pipe_fragments
;
629 static int hf_smb2_pipe_fragment
;
630 static int hf_smb2_pipe_fragment_overlap
;
631 static int hf_smb2_pipe_fragment_overlap_conflict
;
632 static int hf_smb2_pipe_fragment_multiple_tails
;
633 static int hf_smb2_pipe_fragment_too_long_fragment
;
634 static int hf_smb2_pipe_fragment_error
;
635 static int hf_smb2_pipe_fragment_count
;
636 static int hf_smb2_pipe_reassembled_in
;
637 static int hf_smb2_pipe_reassembled_length
;
638 static int hf_smb2_pipe_reassembled_data
;
639 static int hf_smb2_cchunk_resume_key
;
640 static int hf_smb2_cchunk_count
;
641 static int hf_smb2_cchunk_src_offset
;
642 static int hf_smb2_cchunk_dst_offset
;
643 static int hf_smb2_cchunk_xfer_len
;
644 static int hf_smb2_cchunk_chunks_written
;
645 static int hf_smb2_cchunk_bytes_written
;
646 static int hf_smb2_cchunk_total_written
;
647 static int hf_smb2_reparse_data_buffer
;
648 static int hf_smb2_reparse_tag
;
649 static int hf_smb2_reparse_guid
;
650 static int hf_smb2_reparse_data_length
;
651 static int hf_smb2_nfs_type
;
652 static int hf_smb2_nfs_symlink_target
;
653 static int hf_smb2_nfs_chr_major
;
654 static int hf_smb2_nfs_chr_minor
;
655 static int hf_smb2_nfs_blk_major
;
656 static int hf_smb2_nfs_blk_minor
;
657 static int hf_smb2_symlink_error_response
;
658 static int hf_smb2_symlink_length
;
659 static int hf_smb2_symlink_error_tag
;
660 static int hf_smb2_unparsed_path_length
;
661 static int hf_smb2_symlink_substitute_name
;
662 static int hf_smb2_symlink_print_name
;
663 static int hf_smb2_symlink_flags
;
664 static int hf_smb2_bad_signature
;
665 static int hf_smb2_good_signature
;
666 static int hf_smb2_fscc_file_attr
;
667 static int hf_smb2_fscc_file_attr_archive
;
668 static int hf_smb2_fscc_file_attr_compressed
;
669 static int hf_smb2_fscc_file_attr_directory
;
670 static int hf_smb2_fscc_file_attr_encrypted
;
671 static int hf_smb2_fscc_file_attr_hidden
;
672 static int hf_smb2_fscc_file_attr_normal
;
673 static int hf_smb2_fscc_file_attr_not_content_indexed
;
674 static int hf_smb2_fscc_file_attr_offline
;
675 static int hf_smb2_fscc_file_attr_read_only
;
676 static int hf_smb2_fscc_file_attr_reparse_point
;
677 static int hf_smb2_fscc_file_attr_sparse_file
;
678 static int hf_smb2_fscc_file_attr_system
;
679 static int hf_smb2_fscc_file_attr_temporary
;
680 static int hf_smb2_fscc_file_attr_integrity_stream
;
681 static int hf_smb2_fscc_file_attr_no_scrub_data
;
682 static int hf_smb2_tree_connect_flags
;
683 static int hf_smb2_tc_cluster_reconnect
;
684 static int hf_smb2_tc_redirect_to_owner
;
685 static int hf_smb2_tc_extension_present
;
686 static int hf_smb2_tc_reserved
;
687 static int hf_smb2_notification_type
;
688 static int hf_smb2_query_info_flags
;
689 static int hf_smb2_query_info_flag_restart_scan
;
690 static int hf_smb2_query_info_flag_return_single_entry
;
691 static int hf_smb2_query_info_flag_index_specified
;
692 static int hf_smb2_fscc_refs_snapshot_mgmt_operation
;
693 static int hf_smb2_fscc_refs_snapshot_mgmt_namelen
;
694 static int hf_smb2_fscc_refs_snapshot_mgmt_input_buffer_len
;
695 static int hf_smb2_fscc_refs_snapshot_mgmt_reserved
;
696 static int hf_smb2_fscc_refs_snapshot_mgmt_name
;
697 static int hf_smb2_fscc_refs_snapshot_query_delta_buffer_startvcn
;
698 static int hf_smb2_fscc_refs_snapshot_query_delta_buffer_flags
;
699 static int hf_smb2_fscc_refs_snapshot_query_delta_buffer_reserved
;
700 static int hf_smb2_flush_reserved2
;
701 static int hf_smb2_file_id_hash
;
702 static int hf_smb2_num_matched
;
705 static int ett_smb2_olb
;
706 static int ett_smb2_ea
;
707 static int ett_smb2_header
;
708 static int ett_smb2_encrypted
;
709 static int ett_smb2_compressed
;
710 static int ett_smb2_decompressed
;
711 static int ett_smb2_command
;
712 static int ett_smb2_secblob
;
713 static int ett_smb2_negotiate_context_element
;
714 static int ett_smb2_file_basic_info
;
715 static int ett_smb2_file_standard_info
;
716 static int ett_smb2_file_internal_info
;
717 static int ett_smb2_file_ea_info
;
718 static int ett_smb2_file_access_info
;
719 static int ett_smb2_file_position_info
;
720 static int ett_smb2_file_mode_info
;
721 static int ett_smb2_file_alignment_info
;
722 static int ett_smb2_file_all_info
;
723 static int ett_smb2_file_allocation_info
;
724 static int ett_smb2_file_endoffile_info
;
725 static int ett_smb2_file_alternate_name_info
;
726 static int ett_smb2_file_stream_info
;
727 static int ett_smb2_file_pipe_info
;
728 static int ett_smb2_file_compression_info
;
729 static int ett_smb2_file_network_open_info
;
730 static int ett_smb2_file_attribute_tag_info
;
731 static int ett_smb2_file_rename_info
;
732 static int ett_smb2_file_link_info
;
733 static int ett_smb2_file_disposition_info
;
734 static int ett_smb2_file_full_ea_info
;
735 static int ett_smb2_file_normalized_name_info
;
736 static int ett_smb2_fs_info_01
;
737 static int ett_smb2_fs_info_03
;
738 static int ett_smb2_fs_info_04
;
739 static int ett_smb2_fs_info_05
;
740 static int ett_smb2_fs_info_06
;
741 static int ett_smb2_fs_info_07
;
742 static int ett_smb2_fs_objectid_info
;
743 static int ett_smb2_fs_posix_info
;
744 static int ett_smb2_sec_info_00
;
745 static int ett_smb2_additional_information_sec_mask
;
746 static int ett_smb2_quota_info
;
747 static int ett_smb2_query_quota_info
;
748 static int ett_smb2_tid_tree
;
749 static int ett_smb2_sesid_tree
;
750 static int ett_smb2_create_chain_element
;
751 static int ett_smb2_MxAc_buffer
;
752 static int ett_smb2_QFid_buffer
;
753 static int ett_smb2_RqLs_buffer
;
754 static int ett_smb2_ioctl_function
;
755 static int ett_smb2_FILE_OBJECTID_BUFFER
;
756 static int ett_smb2_flags
;
757 static int ett_smb2_sec_mode
;
758 static int ett_smb2_capabilities
;
759 static int ett_smb2_ses_req_flags
;
760 static int ett_smb2_ses_flags
;
761 static int ett_smb2_lease_state
;
762 static int ett_smb2_lease_flags
;
763 static int ett_smb2_share_flags
;
764 static int ett_smb2_create_rep_flags
;
765 static int ett_smb2_share_caps
;
766 static int ett_smb2_comp_alg_flags
;
767 static int ett_smb2_ioctl_flags
;
768 static int ett_smb2_ioctl_network_interface
;
769 static int ett_smb2_ioctl_sqos_opeations
;
770 static int ett_smb2_fsctl_range_data
;
771 static int ett_windows_sockaddr
;
772 static int ett_smb2_close_flags
;
773 static int ett_smb2_notify_info
;
774 static int ett_smb2_notify_flags
;
775 static int ett_smb2_write_flags
;
776 static int ett_smb2_rdma_v1
;
777 static int ett_smb2_DH2Q_buffer
;
778 static int ett_smb2_DH2C_buffer
;
779 static int ett_smb2_dh2x_flags
;
780 static int ett_smb2_APP_INSTANCE_buffer
;
781 static int ett_smb2_svhdx_open_device_context
;
782 static int ett_smb2_app_instance_version_buffer
;
783 static int ett_smb2_app_instance_version_buffer_version
;
784 static int ett_smb2_aapl_create_context_request
;
785 static int ett_smb2_aapl_server_query_bitmask
;
786 static int ett_smb2_aapl_server_query_caps
;
787 static int ett_smb2_aapl_create_context_response
;
788 static int ett_smb2_aapl_server_query_volume_caps
;
789 static int ett_smb2_integrity_flags
;
790 static int ett_smb2_find_flags
;
791 static int ett_smb2_file_directory_info
;
792 static int ett_smb2_both_directory_info
;
793 static int ett_smb2_id_both_directory_info
;
794 static int ett_smb2_full_directory_info
;
795 static int ett_smb2_posix_info
;
796 static int ett_smb2_file_name_info
;
797 static int ett_smb2_lock_info
;
798 static int ett_smb2_lock_flags
;
799 static int ett_smb2_buffercode
;
800 static int ett_smb2_ioctl_network_interface_capabilities
;
801 static int ett_smb2_tree_connect_flags
;
802 static int ett_qfr_entry
;
803 static int ett_smb2_pipe_fragment
;
804 static int ett_smb2_pipe_fragments
;
805 static int ett_smb2_cchunk_entry
;
806 static int ett_smb2_fsctl_odx_token
;
807 static int ett_smb2_symlink_error_response
;
808 static int ett_smb2_reparse_data_buffer
;
809 static int ett_smb2_error_data
;
810 static int ett_smb2_error_context
;
811 static int ett_smb2_error_redir_context
;
812 static int ett_smb2_error_redir_ip_list
;
813 static int ett_smb2_read_flags
;
814 static int ett_smb2_signature
;
815 static int ett_smb2_transform_flags
;
816 static int ett_smb2_fscc_file_attributes
;
817 static int ett_smb2_comp_payload
;
818 static int ett_smb2_comp_pattern_v1
;
819 static int ett_smb2_query_info_flags
;
820 static int ett_smb2_server_notification
;
821 static int ett_smb2_fscc_refs_snapshot_query_delta_buffer
;
823 static expert_field ei_smb2_invalid_length
;
824 static expert_field ei_smb2_bad_response
;
825 static expert_field ei_smb2_bad_negprot_negotiate_context_count
;
826 static expert_field ei_smb2_bad_negprot_negotiate_context_offset
;
827 static expert_field ei_smb2_bad_negprot_reserved
;
828 static expert_field ei_smb2_bad_negprot_reserved2
;
829 static expert_field ei_smb2_invalid_getinfo_offset
;
830 static expert_field ei_smb2_invalid_getinfo_size
;
831 static expert_field ei_smb2_empty_getinfo_buffer
;
832 static expert_field ei_smb2_invalid_signature
;
833 static expert_field ei_smb2_ntlmssp_sessionkey
;
836 static int smb2_eo_tap
;
838 static dissector_handle_t gssapi_handle
;
839 static dissector_handle_t ntlmssp_handle
;
840 static dissector_handle_t rsvd_handle
;
842 static heur_dissector_list_t smb2_pipe_subdissector_list
;
844 static const fragment_items smb2_pipe_frag_items
= {
845 &ett_smb2_pipe_fragment
,
846 &ett_smb2_pipe_fragments
,
847 &hf_smb2_pipe_fragments
,
848 &hf_smb2_pipe_fragment
,
849 &hf_smb2_pipe_fragment_overlap
,
850 &hf_smb2_pipe_fragment_overlap_conflict
,
851 &hf_smb2_pipe_fragment_multiple_tails
,
852 &hf_smb2_pipe_fragment_too_long_fragment
,
853 &hf_smb2_pipe_fragment_error
,
854 &hf_smb2_pipe_fragment_count
,
855 &hf_smb2_pipe_reassembled_in
,
856 &hf_smb2_pipe_reassembled_length
,
857 &hf_smb2_pipe_reassembled_data
,
861 #define FILE_BYTE_ALIGNMENT 0x00
862 #define FILE_WORD_ALIGNMENT 0x01
863 #define FILE_LONG_ALIGNMENT 0x03
864 #define FILE_QUAD_ALIGNMENT 0x07
865 #define FILE_OCTA_ALIGNMENT 0x0f
866 #define FILE_32_BYTE_ALIGNMENT 0x1f
867 #define FILE_64_BYTE_ALIGNMENT 0x3f
868 #define FILE_128_BYTE_ALIGNMENT 0x7f
869 #define FILE_256_BYTE_ALIGNMENT 0xff
870 #define FILE_512_BYTE_ALIGNMENT 0x1ff
871 static const value_string smb2_alignment_vals
[] = {
872 { FILE_BYTE_ALIGNMENT
, "FILE_BYTE_ALIGNMENT" },
873 { FILE_WORD_ALIGNMENT
, "FILE_WORD_ALIGNMENT" },
874 { FILE_LONG_ALIGNMENT
, "FILE_LONG_ALIGNMENT" },
875 { FILE_OCTA_ALIGNMENT
, "FILE_OCTA_ALIGNMENT" },
876 { FILE_32_BYTE_ALIGNMENT
, "FILE_32_BYTE_ALIGNMENT" },
877 { FILE_64_BYTE_ALIGNMENT
, "FILE_64_BYTE_ALIGNMENT" },
878 { FILE_128_BYTE_ALIGNMENT
, "FILE_128_BYTE_ALIGNMENT" },
879 { FILE_256_BYTE_ALIGNMENT
, "FILE_256_BYTE_ALIGNMENT" },
880 { FILE_512_BYTE_ALIGNMENT
, "FILE_512_BYTE_ALIGNMENT" },
885 #define SMB2_CLASS_FILE_INFO 0x01
886 #define SMB2_CLASS_FS_INFO 0x02
887 #define SMB2_CLASS_SEC_INFO 0x03
888 #define SMB2_CLASS_QUOTA_INFO 0x04
889 static const value_string smb2_class_vals
[] = {
890 { SMB2_CLASS_FILE_INFO
, "FILE_INFO"},
891 { SMB2_CLASS_FS_INFO
, "FS_INFO"},
892 { SMB2_CLASS_SEC_INFO
, "SEC_INFO"},
893 { SMB2_CLASS_QUOTA_INFO
, "QUOTA_INFO"},
897 #define SMB2_SHARE_TYPE_DISK 0x01
898 #define SMB2_SHARE_TYPE_PIPE 0x02
899 #define SMB2_SHARE_TYPE_PRINT 0x03
900 static const value_string smb2_share_type_vals
[] = {
901 { SMB2_SHARE_TYPE_DISK
, "Physical disk" },
902 { SMB2_SHARE_TYPE_PIPE
, "Named pipe" },
903 { SMB2_SHARE_TYPE_PRINT
, "Printer" },
908 #define SMB2_FILE_BASIC_INFO 0x04
909 #define SMB2_FILE_STANDARD_INFO 0x05
910 #define SMB2_FILE_INTERNAL_INFO 0x06
911 #define SMB2_FILE_EA_INFO 0x07
912 #define SMB2_FILE_ACCESS_INFO 0x08
913 #define SMB2_FILE_RENAME_INFO 0x0a
914 #define SMB2_FILE_LINK_INFO 0x0b
915 #define SMB2_FILE_DISPOSITION_INFO 0x0d
916 #define SMB2_FILE_POSITION_INFO 0x0e
917 #define SMB2_FILE_FULL_EA_INFO 0x0f
918 #define SMB2_FILE_MODE_INFO 0x10
919 #define SMB2_FILE_ALIGNMENT_INFO 0x11
920 #define SMB2_FILE_ALL_INFO 0x12
921 #define SMB2_FILE_ALLOCATION_INFO 0x13
922 #define SMB2_FILE_ENDOFFILE_INFO 0x14
923 #define SMB2_FILE_ALTERNATE_NAME_INFO 0x15
924 #define SMB2_FILE_STREAM_INFO 0x16
925 #define SMB2_FILE_PIPE_INFO 0x17
926 #define SMB2_FILE_COMPRESSION_INFO 0x1c
927 #define SMB2_FILE_NETWORK_OPEN_INFO 0x22
928 #define SMB2_FILE_ATTRIBUTE_TAG_INFO 0x23
929 #define SMB2_FILE_NORMALIZED_NAME_INFO 0x30
930 #define SMB2_FILE_POSIX_INFO 0x64
931 #define SMB2_FILE_ID_INFO 0x3b
932 #define SMB2_FILE_PIPE_LOCAL_INFO 0x18
933 #define SMB2_FILE_PIPE_REMOTE_INFO 0x19
934 #define SMB2_FILE_BOTH_DIRECTORY_INFO 0x03
935 #define SMB2_FILE_DIRECTORY_INFO 0x01
936 #define SMB2_FILE_FULL_DIRECTORY_INFO 0x02
937 #define SMB2_FILE_FULL_HARD_LINK_INFO 0x2e
938 #define SMB2_FILE_ID_BOTH_DIRECTORY_INFO 0x25
939 #define SMB2_FILE_ID_EXTD_DIRECTORY_INFO 0x3c
940 #define SMB2_FILE_ID_FULL_DIRECTORY_INFO 0x26
941 #define SMB2_FILE_ID_GLOBAL_TX_DIRECTORY_INFO 0x32
942 #define SMB2_FILE_LINK_INFO 0x0b
943 #define SMB2_FILE_MAIL_SLOT_SET_INFO 0x1b
944 #define SMB2_FILE_MOVE_CLUSTER_INFO 0x1f
945 #define SMB2_FILE_NAME_INFO 0x09
946 #define SMB2_FILE_NAMES_INFO 0x0c
947 #define SMB2_FILE_OBJECTID_INFO 0x1d
948 #define SMB2_FILE_QUOTA_INFO 0x20
949 #define SMB2_FILE_REPARSE_POINT_INFO 0x21
950 #define SMB2_FILE_SFIO_RESERVE_INFO 0x2c
951 #define SMB2_FILE_SFIO_VOLUME_INFO 0x2d
952 #define SMB2_FILE_SHORT_NAME_INFO 0x28
953 #define SMB2_FILE_STANDARD_LINK_INFO 0x36
954 #define SMB2_FILE_TRACKING_INFO 0x24
955 #define SMB2_VALID_DATA_LENGTH_INFO 0x27
957 static const value_string smb2_file_info_levels
[] = {
958 {SMB2_FILE_DIRECTORY_INFO
, "SMB2_FILE_DIRECTORY_INFO"},
959 {SMB2_FILE_FULL_DIRECTORY_INFO
, "SMB2_FILE_FULL_DIRECTORY_INFO"},
960 {SMB2_FILE_BOTH_DIRECTORY_INFO
, "SMB2_FILE_BOTH_DIRECTORY_INFO"},
961 {SMB2_FILE_BASIC_INFO
, "SMB2_FILE_BASIC_INFO" },
962 {SMB2_FILE_STANDARD_INFO
, "SMB2_FILE_STANDARD_INFO" },
963 {SMB2_FILE_INTERNAL_INFO
, "SMB2_FILE_INTERNAL_INFO" },
964 {SMB2_FILE_EA_INFO
, "SMB2_FILE_EA_INFO" },
965 {SMB2_FILE_ACCESS_INFO
, "SMB2_FILE_ACCESS_INFO" },
966 {SMB2_FILE_NAME_INFO
, "SMB2_FILE_NAME_INFO"},
967 {SMB2_FILE_RENAME_INFO
, "SMB2_FILE_RENAME_INFO" },
968 {SMB2_FILE_LINK_INFO
, "SMB2_FILE_LINK_INFO" },
969 {SMB2_FILE_NAMES_INFO
, "SMB2_FILE_NAMES_INFO"},
970 {SMB2_FILE_DISPOSITION_INFO
, "SMB2_FILE_DISPOSITION_INFO" },
971 {SMB2_FILE_POSITION_INFO
, "SMB2_FILE_POSITION_INFO" },
972 {SMB2_FILE_FULL_EA_INFO
, "SMB2_FILE_FULL_EA_INFO" },
973 {SMB2_FILE_MODE_INFO
, "SMB2_FILE_MODE_INFO" },
974 {SMB2_FILE_ALIGNMENT_INFO
, "SMB2_FILE_ALIGNMENT_INFO" },
975 {SMB2_FILE_ALL_INFO
, "SMB2_FILE_ALL_INFO" },
976 {SMB2_FILE_ALLOCATION_INFO
, "SMB2_FILE_ALLOCATION_INFO" },
977 {SMB2_FILE_ENDOFFILE_INFO
, "SMB2_FILE_ENDOFFILE_INFO" },
978 {SMB2_FILE_ALTERNATE_NAME_INFO
, "SMB2_FILE_ALTERNATE_NAME_INFO" },
979 {SMB2_FILE_STREAM_INFO
, "SMB2_FILE_STREAM_INFO" },
980 {SMB2_FILE_PIPE_INFO
, "SMB2_FILE_PIPE_INFO" },
981 {SMB2_FILE_PIPE_LOCAL_INFO
, "SMB2_FILE_PIPE_LOCAL_INFO"},
982 {SMB2_FILE_PIPE_REMOTE_INFO
, "SMB2_FILE_PIPE_REMOTE_INFO"},
983 {SMB2_FILE_MAIL_SLOT_SET_INFO
, "SMB2_FILE_MAIL_SLOT_SET_INFO"},
984 {SMB2_FILE_COMPRESSION_INFO
, "SMB2_FILE_COMPRESSION_INFO" },
985 {SMB2_FILE_OBJECTID_INFO
, "SMB2_FILE_OBJECTID_INFO"},
986 {SMB2_FILE_MOVE_CLUSTER_INFO
, "SMB2_FILE_MOVE_CLUSTER_INFO"},
987 {SMB2_FILE_QUOTA_INFO
, "SMB2_FILE_QUOTA_INFO"},
988 {SMB2_FILE_REPARSE_POINT_INFO
, "SMB2_FILE_REPARSE_POINT_INFO"},
989 {SMB2_FILE_NETWORK_OPEN_INFO
, "SMB2_FILE_NETWORK_OPEN_INFO" },
990 {SMB2_FILE_ATTRIBUTE_TAG_INFO
, "SMB2_FILE_ATTRIBUTE_TAG_INFO" },
991 {SMB2_FILE_TRACKING_INFO
, "SMB2_FILE_TRACKING_INFO"},
992 {SMB2_FILE_ID_BOTH_DIRECTORY_INFO
,"SMB2_FILE_ID_BOTH_DIRECTORY_INFO" },
993 {SMB2_FILE_ID_FULL_DIRECTORY_INFO
, "SMB2_FILE_ID_FULL_DIRECTORY_INFO"},
994 {SMB2_VALID_DATA_LENGTH_INFO
, "SMB2_VALID_DATA_LENGTH_INFO"},
995 {SMB2_FILE_SHORT_NAME_INFO
, "SMB2_FILE_SHORT_NAME_INFO"},
996 {SMB2_FILE_SFIO_RESERVE_INFO
, "SMB2_FILE_SFIO_RESERVE_INFO"},
997 {SMB2_FILE_SFIO_VOLUME_INFO
, "SMB2_FILE_SFIO_VOLUME_INFO"},
998 {SMB2_FILE_FULL_HARD_LINK_INFO
, "SMB2_FILE_FULL_HARD_LINK_INFO"},
999 {SMB2_FILE_NORMALIZED_NAME_INFO
,"SMB2_FILE_NORMALIZED_NAME_INFO" },
1000 {SMB2_FILE_ID_GLOBAL_TX_DIRECTORY_INFO
, "SMB2_FILE_ID_GLOBAL_TX_DIRECTORY_INFO"},
1001 {SMB2_FILE_STANDARD_LINK_INFO
, "SMB2_FILE_STANDARD_LINK_INFO"},
1002 {SMB2_FILE_ID_INFO
, "SMB2_FILE_ID_INFO"},
1003 {SMB2_FILE_ID_EXTD_DIRECTORY_INFO
,"SMB2_FILE_ID_EXTD_DIRECTORY_INFO"},
1004 {SMB2_FILE_POSIX_INFO
, "SMB2_FILE_POSIX_INFO" },
1007 static value_string_ext smb2_file_info_levels_ext
= VALUE_STRING_EXT_INIT(smb2_file_info_levels
);
1011 #define SMB2_FS_INFO_01 0x01
1012 #define SMB2_FS_LABEL_INFO 0x02
1013 #define SMB2_FS_INFO_03 0x03
1014 #define SMB2_FS_INFO_04 0x04
1015 #define SMB2_FS_INFO_05 0x05
1016 #define SMB2_FS_INFO_06 0x06
1017 #define SMB2_FS_INFO_07 0x07
1018 #define SMB2_FS_OBJECTID_INFO 0x08
1019 #define SMB2_FS_DRIVER_PATH_INFO 0x09
1020 #define SMB2_FS_VOLUME_FLAGS_INFO 0x0a
1021 #define SMB2_FS_SECTOR_SIZE_INFO 0x0b
1022 #define SMB2_FS_POSIX_INFO 0x64
1024 static const value_string smb2_fs_info_levels
[] = {
1025 {SMB2_FS_INFO_01
, "FileFsVolumeInformation" },
1026 {SMB2_FS_LABEL_INFO
, "FileFsLabelInformation" },
1027 {SMB2_FS_INFO_03
, "FileFsSizeInformation" },
1028 {SMB2_FS_INFO_04
, "FileFsDeviceInformation" },
1029 {SMB2_FS_INFO_05
, "FileFsAttributeInformation" },
1030 {SMB2_FS_INFO_06
, "FileFsControlInformation" },
1031 {SMB2_FS_INFO_07
, "FileFsFullSizeInformation" },
1032 {SMB2_FS_OBJECTID_INFO
, "FileFsObjectIdInformation" },
1033 {SMB2_FS_DRIVER_PATH_INFO
, "FileFsDriverPathInformation" },
1034 {SMB2_FS_VOLUME_FLAGS_INFO
, "FileFsVolumeFlagsInformation" },
1035 {SMB2_FS_SECTOR_SIZE_INFO
, "FileFsSectorSizeInformation" },
1036 {SMB2_FS_POSIX_INFO
, "FileFsPosixInformation" },
1039 static value_string_ext smb2_fs_info_levels_ext
= VALUE_STRING_EXT_INIT(smb2_fs_info_levels
);
1041 #define SMB2_SEC_INFO_00 0x00
1042 static const value_string smb2_sec_info_levels
[] = {
1043 {SMB2_SEC_INFO_00
, "SMB2_SEC_INFO_00" },
1046 static value_string_ext smb2_sec_info_levels_ext
= VALUE_STRING_EXT_INIT(smb2_sec_info_levels
);
1048 #define SMB2_FIND_DIRECTORY_INFO 0x01
1049 #define SMB2_FIND_FULL_DIRECTORY_INFO 0x02
1050 #define SMB2_FIND_BOTH_DIRECTORY_INFO 0x03
1051 #define SMB2_FIND_INDEX_SPECIFIED 0x04
1052 #define SMB2_FIND_NAME_INFO 0x0C
1053 #define SMB2_FIND_ID_BOTH_DIRECTORY_INFO 0x25
1054 #define SMB2_FIND_ID_FULL_DIRECTORY_INFO 0x26
1055 #define SMB2_FIND_POSIX_INFO 0x64
1056 static const value_string smb2_find_info_levels
[] = {
1057 { SMB2_FIND_DIRECTORY_INFO
, "SMB2_FIND_DIRECTORY_INFO" },
1058 { SMB2_FIND_FULL_DIRECTORY_INFO
, "SMB2_FIND_FULL_DIRECTORY_INFO" },
1059 { SMB2_FIND_BOTH_DIRECTORY_INFO
, "SMB2_FIND_BOTH_DIRECTORY_INFO" },
1060 { SMB2_FIND_INDEX_SPECIFIED
, "SMB2_FIND_INDEX_SPECIFIED" },
1061 { SMB2_FIND_NAME_INFO
, "SMB2_FIND_NAME_INFO" },
1062 { SMB2_FIND_ID_BOTH_DIRECTORY_INFO
, "SMB2_FIND_ID_BOTH_DIRECTORY_INFO" },
1063 { SMB2_FIND_ID_FULL_DIRECTORY_INFO
, "SMB2_FIND_ID_FULL_DIRECTORY_INFO" },
1064 { SMB2_FIND_POSIX_INFO
, "SMB2_FIND_POSIX_INFO" },
1068 #define SMB2_PREAUTH_INTEGRITY_CAPABILITIES 0x0001
1069 #define SMB2_ENCRYPTION_CAPABILITIES 0x0002
1070 #define SMB2_COMPRESSION_CAPABILITIES 0x0003
1071 #define SMB2_NETNAME_NEGOTIATE_CONTEXT_ID 0x0005
1072 #define SMB2_TRANSPORT_CAPABILITIES 0x0006
1073 #define SMB2_RDMA_TRANSFORM_CAPABILITIES 0x0007
1074 #define SMB2_SIGNING_CAPABILITIES 0x0008
1075 #define SMB2_POSIX_EXTENSIONS_CAPABILITIES 0x0100
1076 static const value_string smb2_negotiate_context_types
[] = {
1077 { SMB2_PREAUTH_INTEGRITY_CAPABILITIES
, "SMB2_PREAUTH_INTEGRITY_CAPABILITIES" },
1078 { SMB2_ENCRYPTION_CAPABILITIES
, "SMB2_ENCRYPTION_CAPABILITIES" },
1079 { SMB2_COMPRESSION_CAPABILITIES
, "SMB2_COMPRESSION_CAPABILITIES" },
1080 { SMB2_NETNAME_NEGOTIATE_CONTEXT_ID
, "SMB2_NETNAME_NEGOTIATE_CONTEXT_ID" },
1081 { SMB2_TRANSPORT_CAPABILITIES
, "SMB2_TRANSPORT_CAPABILITIES" },
1082 { SMB2_RDMA_TRANSFORM_CAPABILITIES
, "SMB2_RDMA_TRANSFORM_CAPABILITIES" },
1083 { SMB2_SIGNING_CAPABILITIES
, "SMB2_SIGNING_CAPABILITIES" },
1084 { SMB2_POSIX_EXTENSIONS_CAPABILITIES
, "SMB2_POSIX_EXTENSIONS_CAPABILITIES" },
1088 #define SMB2_HASH_ALGORITHM_SHA_512 0x0001
1089 static const value_string smb2_hash_algorithm_types
[] = {
1090 { SMB2_HASH_ALGORITHM_SHA_512
, "SHA-512" },
1094 #define SMB2_SIGNING_ALG_HMAC_SHA256 0x0000
1095 #define SMB2_SIGNING_ALG_AES_CMAC 0x0001
1096 #define SMB2_SIGNING_ALG_AES_GMAC 0x0002
1097 static const value_string smb2_signing_alg_types
[] = {
1098 { SMB2_SIGNING_ALG_HMAC_SHA256
, "HMAC-SHA256" },
1099 { SMB2_SIGNING_ALG_AES_CMAC
, "AES-CMAC" },
1100 { SMB2_SIGNING_ALG_AES_GMAC
, "AES-GMAC" },
1104 #define SMB2_CIPHER_AES_128_CCM 0x0001
1105 #define SMB2_CIPHER_AES_128_GCM 0x0002
1106 #define SMB2_CIPHER_AES_256_CCM 0x0003
1107 #define SMB2_CIPHER_AES_256_GCM 0x0004
1108 static const value_string smb2_cipher_types
[] = {
1109 { SMB2_CIPHER_AES_128_CCM
, "AES-128-CCM" },
1110 { SMB2_CIPHER_AES_128_GCM
, "AES-128-GCM" },
1111 { SMB2_CIPHER_AES_256_CCM
, "AES-256-CCM" },
1112 { SMB2_CIPHER_AES_256_GCM
, "AES-256-GCM" },
1116 #define SMB2_TRANSFORM_FLAGS_ENCRYPTED 0x0001
1117 static int * const smb2_transform_flags
[] = {
1118 &hf_smb2_transform_flags_encrypted
,
1122 #define SMB2_COMP_ALG_FLAGS_CHAINED 0x00000001
1124 #define SMB2_COMP_ALG_NONE 0x0000
1125 #define SMB2_COMP_ALG_LZNT1 0x0001
1126 #define SMB2_COMP_ALG_LZ77 0x0002
1127 #define SMB2_COMP_ALG_LZ77HUFF 0x0003
1128 #define SMB2_COMP_ALG_PATTERN_V1 0x0004
1129 static const value_string smb2_comp_alg_types
[] = {
1130 { SMB2_COMP_ALG_NONE
, "None" },
1131 { SMB2_COMP_ALG_LZNT1
, "LZNT1" },
1132 { SMB2_COMP_ALG_LZ77
, "LZ77" },
1133 { SMB2_COMP_ALG_LZ77HUFF
, "LZ77+Huffman" },
1134 { SMB2_COMP_ALG_PATTERN_V1
, "Pattern_V1" },
1138 #define SMB2_COMP_FLAG_NONE 0x0000
1139 #define SMB2_COMP_FLAG_CHAINED 0x0001
1140 static const value_string smb2_comp_transform_flags_vals
[] = {
1141 { SMB2_COMP_FLAG_NONE
, "None" },
1142 { SMB2_COMP_FLAG_CHAINED
, "Chained" },
1146 #define SMB2_RDMA_TRANSFORM_NONE 0x0000
1147 #define SMB2_RDMA_TRANSFORM_ENCRYPTION 0x0001
1148 #define SMB2_RDMA_TRANSFORM_SIGNING 0x0002
1149 static const value_string smb2_rdma_transform_types
[] = {
1150 { SMB2_RDMA_TRANSFORM_NONE
, "None" },
1151 { SMB2_RDMA_TRANSFORM_ENCRYPTION
, "Encryption" },
1152 { SMB2_RDMA_TRANSFORM_SIGNING
, "Signing" },
1156 #define OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE 24 /* [MS-SMB2] 2.2.23.1, 2.2.24.1 and 2.2.25.1 */
1157 #define OPLOCK_BREAK_LEASE_NOTIFICATION_STRUCTURE_SIZE 44 /* [MS-SMB2] 2.2.23.2 Lease Break Notification */
1158 #define OPLOCK_BREAK_LEASE_ACKNOWLEDGMENT_STRUCTURE_SIZE 36 /* [MS-SMB2] 2.2.24.2 Lease Break Acknowledgment */
1159 #define OPLOCK_BREAK_LEASE_RESPONSE_STRUCTURE_SIZE 36 /* [MS-SMB2] 2.2.25.2 Lease Break Response */
1161 static const val64_string unique_unsolicited_response
[] = {
1162 { 0xffffffffffffffff, "unsolicited response" },
1166 #define SMB2_ERROR_ID_DEFAULT 0x00000000
1167 #define SMB2_ERROR_ID_SHARE_REDIRECT 0x72645253
1168 static const value_string smb2_error_id_vals
[] = {
1169 { SMB2_ERROR_ID_DEFAULT
, "ERROR_ID_DEFAULT" },
1170 { SMB2_ERROR_ID_SHARE_REDIRECT
, "ERROR_ID_SHARE_REDIRECT" },
1174 #define SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY 0x00000001
1175 static const value_string smb2_transport_ctx_flags_vals
[] = {
1176 { SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY
, "SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY" },
1180 #define REPARSE_TAG_RESERVED_ZERO 0x00000000 /* Reserved reparse tag value. */
1181 #define REPARSE_TAG_RESERVED_ONE 0x00000001 /* Reserved reparse tag value. */
1182 #define REPARSE_TAG_MOUNT_POINT 0xA0000003 /* Used for mount point */
1183 #define REPARSE_TAG_HSM 0xC0000004 /* Obsolete. Used by legacy Hierarchical Storage Manager Product. */
1184 #define REPARSE_TAG_DRIVER_EXTENDER 0x80000005 /* Home server drive extender. */
1185 #define REPARSE_TAG_HSM2 0x80000006 /* Obsolete. Used by legacy Hierarchical Storage Manager Product. */
1186 #define REPARSE_TAG_SIS 0x80000007 /* Used by single-instance storage (SIS) filter driver. */
1187 #define REPARSE_TAG_DFS 0x8000000A /* Used by the DFS filter. */
1188 #define REPARSE_TAG_FILTER_MANAGER 0x8000000B /* Used by filter manager test harness */
1189 #define REPARSE_TAG_SYMLINK 0xA000000C /* Used for symbolic link support. */
1190 #define REPARSE_TAG_DFSR 0x80000012 /* Used by the DFS filter. */
1191 #define REPARSE_TAG_NFS 0x80000014 /* Used by the Network File System (NFS) component. */
1192 #define REPARSE_TAG_LX_SYMLINK 0xA000001D /* WSL symbolic link */
1193 #define REPARSE_TAG_AF_UNIX 0x80000023 /* WSL unix socket */
1194 #define REPARSE_TAG_LX_FIFO 0x80000024 /* WSL fifo pipe */
1195 #define REPARSE_TAG_LX_CHR 0x80000025 /* WSL char device */
1196 #define REPARSE_TAG_LX_BLK 0x80000026 /* WSL block device */
1197 static const value_string reparse_tag_vals
[] = {
1198 { REPARSE_TAG_RESERVED_ZERO
, "REPARSE_TAG_RESERVED_ZERO"},
1199 { REPARSE_TAG_RESERVED_ONE
, "REPARSE_TAG_RESERVED_ONE"},
1200 { REPARSE_TAG_MOUNT_POINT
, "REPARSE_TAG_MOUNT_POINT"},
1201 { REPARSE_TAG_HSM
, "REPARSE_TAG_HSM"},
1202 { REPARSE_TAG_DRIVER_EXTENDER
, "REPARSE_TAG_DRIVER_EXTENDER"},
1203 { REPARSE_TAG_HSM2
, "REPARSE_TAG_HSM2"},
1204 { REPARSE_TAG_SIS
, "REPARSE_TAG_SIS"},
1205 { REPARSE_TAG_DFS
, "REPARSE_TAG_DFS"},
1206 { REPARSE_TAG_FILTER_MANAGER
, "REPARSE_TAG_FILTER_MANAGER"},
1207 { REPARSE_TAG_SYMLINK
, "REPARSE_TAG_SYMLINK"},
1208 { REPARSE_TAG_DFSR
, "REPARSE_TAG_DFSR"},
1209 { REPARSE_TAG_NFS
, "REPARSE_TAG_NFS"},
1210 { REPARSE_TAG_LX_SYMLINK
, "REPARSE_TAG_LX_SYMLINK"},
1211 { REPARSE_TAG_AF_UNIX
, "REPARSE_TAG_AF_UNIX"},
1212 { REPARSE_TAG_LX_FIFO
, "REPARSE_TAG_LX_FIFO"},
1213 { REPARSE_TAG_LX_CHR
, "REPARSE_TAG_LX_CHR"},
1214 { REPARSE_TAG_LX_BLK
, "REPARSE_TAG_LX_BLK"},
1218 #define NFS_SPECFILE_LNK 0x00000000014B4E4C
1219 #define NFS_SPECFILE_CHR 0x0000000000524843
1220 #define NFS_SPECFILE_BLK 0x00000000004B4C42
1221 #define NFS_SPECFILE_FIFO 0x000000004F464946
1222 #define NFS_SPECFILE_SOCK 0x000000004B434F53
1223 static const val64_string nfs_type_vals
[] = {
1224 { NFS_SPECFILE_LNK
, "Symbolic Link" },
1225 { NFS_SPECFILE_CHR
, "Character Device" },
1226 { NFS_SPECFILE_BLK
, "Block Device" },
1227 { NFS_SPECFILE_FIFO
, "FIFO" },
1228 { NFS_SPECFILE_SOCK
, "UNIX Socket" },
1232 #define SMB2_NUM_PROCEDURES 256
1233 #define MAX_UNCOMPRESSED_SIZE (1<<24) /* 16MB */
1235 #define SMB2_DIALECT_202 0x0202
1236 #define SMB2_DIALECT_210 0x0210
1237 #define SMB2_DIALECT_2FF 0x02FF
1238 #define SMB2_DIALECT_222 0x0222
1239 #define SMB2_DIALECT_224 0x0224
1240 #define SMB2_DIALECT_300 0x0300
1241 #define SMB2_DIALECT_302 0x0302
1242 #define SMB2_DIALECT_310 0x0310
1243 #define SMB2_DIALECT_311 0x0311
1245 static const value_string smb2_dialect_vals
[] = {
1246 { SMB2_DIALECT_202
, "SMB 2.0.2" },
1247 { SMB2_DIALECT_210
, "SMB 2.1" },
1248 { SMB2_DIALECT_2FF
, "SMB2 wildcard" },
1249 { SMB2_DIALECT_222
, "SMB 2.2.2 (deprecated; should be 3.0)" },
1250 { SMB2_DIALECT_224
, "SMB 2.2.4 (deprecated; should be 3.0)" },
1251 { SMB2_DIALECT_300
, "SMB 3.0" },
1252 { SMB2_DIALECT_302
, "SMB 3.0.2" },
1253 { SMB2_DIALECT_310
, "SMB 3.1.0 (deprecated; should be 3.1.1)" },
1254 { SMB2_DIALECT_311
, "SMB 3.1.1" },
1258 static const value_string smb2_fsctl_infoex_integrity_modes
[] = {
1259 { 0x00, "CHECKSUM_TYPE_NONE" },
1260 { 0x01, "CHECKSUM_TYPE_CRC32_OR_CRC64" },
1264 static const value_string smb2_fsctl_infoex_integrity_state
[] = {
1265 { 0x00, "Change state" },
1266 { 0x01, "No state change" },
1270 #define SMB2_SL_RESTART_SCAN 0x00000001
1271 #define SMB2_SL_RETURN_SINGLE_ENTRY 0x00000002
1272 #define SL_INDEX_SPECIFIED 0x00000004
1274 #define NOTIFY_SESSION_CLOSED 0x0
1275 static const value_string server_notification_types
[] = {
1276 { NOTIFY_SESSION_CLOSED
, "SmbNotifySessionClosed" },
1280 #define REFS_STREAM_SNAPSHOT_OPERATION_INVALID 0x00000000
1281 #define REFS_STREAM_SNAPSHOT_OPERATION_CREATE 0x00000001
1282 #define REFS_STREAM_SNAPSHOT_OPERATION_LIST 0x00000002
1283 #define REFS_STREAM_SNAPSHOT_OPERATION_QUERY_DELTAS 0x00000003
1284 #define REFS_STREAM_SNAPSHOT_OPERATION_REVERT 0x00000004
1285 #define REFS_STREAM_SNAPSHOT_OPERATION_SET_SHADOW_BTREE 0x00000005
1286 #define REFS_STREAM_SNAPSHOT_OPERATION_CLEAR_SHADOW_BTREE 0x00000006
1288 static const value_string refs_stream_snapshot_operation_types
[] = {
1289 { REFS_STREAM_SNAPSHOT_OPERATION_INVALID
, "Invalid" },
1290 { REFS_STREAM_SNAPSHOT_OPERATION_CREATE
, "Create" },
1291 { REFS_STREAM_SNAPSHOT_OPERATION_LIST
, "List" },
1292 { REFS_STREAM_SNAPSHOT_OPERATION_QUERY_DELTAS
, "Query Deltas" },
1293 { REFS_STREAM_SNAPSHOT_OPERATION_REVERT
, "Revert" },
1294 { REFS_STREAM_SNAPSHOT_OPERATION_SET_SHADOW_BTREE
, "Set Shadow Btree" },
1295 { REFS_STREAM_SNAPSHOT_OPERATION_CLEAR_SHADOW_BTREE
, "Clear Shadow Btree" },
1299 #define FILE_FULL_EA_INFORMATION_FLAG_NONE 0x00000000
1300 #define FILE_FULL_EA_INFORMATION_FLAG_NEED_EA 0x00000001
1302 static const value_string file_full_ea_information_flags
[] = {
1303 { FILE_FULL_EA_INFORMATION_FLAG_NONE
, "None" },
1304 { FILE_FULL_EA_INFORMATION_FLAG_NEED_EA
, "Need EA" },
1308 static int dissect_windows_sockaddr_storage(tvbuff_t
*, packet_info
*, proto_tree
*, int, int);
1309 static void dissect_smb2_error_data(tvbuff_t
*, packet_info
*, proto_tree
*, int, int, smb2_info_t
*);
1310 static unsigned smb2_eo_files_hash(const void *k
);
1311 static int smb2_eo_files_equal(const void *k1
, const void *k2
);
1313 static void update_preauth_hash(void *buf
, packet_info
*pinfo
, tvbuff_t
*tvb
)
1319 err
= gcry_md_open(&md
, GCRY_MD_SHA512
, 0);
1323 /* we dup in case of non-contiguous packet */
1324 pkt
= tvb_memdup(pinfo
->pool
, tvb
, 0, tvb_captured_length(tvb
));
1325 gcry_md_write(md
, buf
, SMB2_PREAUTH_HASH_SIZE
);
1326 gcry_md_write(md
, pkt
, tvb_captured_length(tvb
));
1328 memcpy(buf
, gcry_md_read(md
, 0), SMB2_PREAUTH_HASH_SIZE
);
1333 smb2stat_init(struct register_srt
* srt _U_
, GArray
* srt_array
)
1335 srt_stat_table
*smb2_srt_table
;
1338 smb2_srt_table
= init_srt_table("SMB2", NULL
, srt_array
, SMB2_NUM_PROCEDURES
, "Commands", "smb2.cmd", NULL
);
1339 for (i
= 0; i
< SMB2_NUM_PROCEDURES
; i
++)
1341 init_srt_table_row(smb2_srt_table
, i
, val_to_str_ext_const(i
, &smb2_cmd_vals_ext
, "<unknown>"));
1345 static tap_packet_status
1346 smb2stat_packet(void *pss
, packet_info
*pinfo
, epan_dissect_t
*edt _U_
, const void *prv
, tap_flags_t flags _U_
)
1349 srt_stat_table
*smb2_srt_table
;
1350 srt_data_t
*data
= (srt_data_t
*)pss
;
1351 const smb2_info_t
*si
=(const smb2_info_t
*)prv
;
1353 /* we are only interested in response packets */
1354 if(!(si
->flags
&SMB2_FLAGS_RESPONSE
)){
1355 return TAP_PACKET_DONT_REDRAW
;
1357 /* We should not include cancel and oplock break requests either */
1358 if (si
->opcode
== SMB2_COM_CANCEL
|| si
->opcode
== SMB2_COM_BREAK
) {
1359 return TAP_PACKET_DONT_REDRAW
;
1362 /* if we haven't seen the request, just ignore it */
1364 return TAP_PACKET_DONT_REDRAW
;
1367 /* SMB2 SRT can be very inaccurate in the presence of retransmissions. Retransmitted responses
1368 * not only add additional (bogus) transactions but also the latency associated with them.
1369 * This can greatly inflate the maximum and average SRT stats especially in the case of
1370 * retransmissions triggered by the expiry of the rexmit timer (RTOs). Only calculating SRT
1371 * for the last received response accomplishes this goal without requiring the TCP pref
1372 * "Do not call subdissectors for error packets" to be set. */
1373 if (si
->saved
->frame_res
!= pinfo
->num
)
1374 return TAP_PACKET_DONT_REDRAW
;
1376 smb2_srt_table
= g_array_index(data
->srt_array
, srt_stat_table
*, i
);
1377 add_srt_table_data(smb2_srt_table
, si
->opcode
, &si
->saved
->req_time
, pinfo
);
1378 return TAP_PACKET_REDRAW
;
1381 /* Structure for SessionID <=> SessionKey mapping for decryption. */
1382 typedef struct _smb2_seskey_field_t
{
1384 unsigned char *id
; /* *little-endian* - not necessarily host-endian! */
1387 unsigned char *seskey
;
1388 unsigned seskey_len
;
1389 /* server to client key */
1390 unsigned char *s2ckey
;
1391 unsigned s2ckey_len
;
1392 /* client to server key */
1393 unsigned char *c2skey
;
1394 unsigned c2skey_len
;
1395 } smb2_seskey_field_t
;
1397 static smb2_seskey_field_t
*seskey_list
;
1398 static unsigned num_seskey_list
;
1400 static const int8_t zeros
[NTLMSSP_KEY_LEN
] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
1402 /* Callbacks for SessionID <=> SessionKey mapping. */
1403 UAT_BUFFER_CB_DEF(seskey_list
, id
, smb2_seskey_field_t
, id
, id_len
)
1404 UAT_BUFFER_CB_DEF(seskey_list
, seskey
, smb2_seskey_field_t
, seskey
, seskey_len
)
1405 UAT_BUFFER_CB_DEF(seskey_list
, s2ckey
, smb2_seskey_field_t
, s2ckey
, s2ckey_len
)
1406 UAT_BUFFER_CB_DEF(seskey_list
, c2skey
, smb2_seskey_field_t
, c2skey
, c2skey_len
)
1408 #define SMB_SESSION_ID_SIZE 8
1410 static bool seskey_list_update_cb(void *r
, char **err
)
1412 smb2_seskey_field_t
*rec
= (smb2_seskey_field_t
*)r
;
1413 bool has_seskey
= rec
->seskey_len
!= 0;
1414 bool has_s2ckey
= rec
->s2ckey_len
!= 0;
1415 bool has_c2skey
= rec
->c2skey_len
!= 0;
1419 if (rec
->id_len
!= SMB_SESSION_ID_SIZE
) {
1420 *err
= g_strdup("Session ID must be " G_STRINGIFY(SMB_SESSION_ID_SIZE
) " bytes long and in hexadecimal");
1424 if (!has_seskey
&& !(has_c2skey
|| has_s2ckey
)) {
1425 *err
= g_strdup("Decryption requires either the Session Key or at least one of the client-server AES keys");
1430 if (rec
->seskey_len
> NTLMSSP_KEY_LEN
) {
1431 *err
= g_strdup("Session Key must be a hexadecimal string representing at most " G_STRINGIFY(NTLMSSP_KEY_LEN
) " bytes");
1435 if (has_s2ckey
&& ((rec
->s2ckey_len
!= AES_KEY_SIZE
) && (rec
->s2ckey_len
!= AES_KEY_SIZE
*2))) {
1436 *err
= g_strdup("Server-to-Client key must be a hexadecimal string representing "
1437 G_STRINGIFY(AES_KEY_SIZE
) " or " G_STRINGIFY(AES_KEY_SIZE
*2));
1441 if (has_c2skey
&& ((rec
->c2skey_len
!= AES_KEY_SIZE
) && (rec
->c2skey_len
!= AES_KEY_SIZE
*2))) {
1442 *err
= g_strdup("Client-to-Server key must be a hexadecimal string representing "
1443 G_STRINGIFY(AES_KEY_SIZE
) " or " G_STRINGIFY(AES_KEY_SIZE
*2));
1450 static void* seskey_list_copy_cb(void *n
, const void *o
, size_t siz _U_
)
1452 smb2_seskey_field_t
*new_rec
= (smb2_seskey_field_t
*)n
;
1453 const smb2_seskey_field_t
*old_rec
= (const smb2_seskey_field_t
*)o
;
1455 new_rec
->id_len
= old_rec
->id_len
;
1456 new_rec
->id
= old_rec
->id
? (unsigned char *)g_memdup2(old_rec
->id
, old_rec
->id_len
) : NULL
;
1457 new_rec
->seskey_len
= old_rec
->seskey_len
;
1458 new_rec
->seskey
= old_rec
->seskey
? (unsigned char *)g_memdup2(old_rec
->seskey
, old_rec
->seskey_len
) : NULL
;
1459 new_rec
->s2ckey_len
= old_rec
->s2ckey_len
;
1460 new_rec
->s2ckey
= old_rec
->s2ckey
? (unsigned char *)g_memdup2(old_rec
->s2ckey
, old_rec
->s2ckey_len
) : NULL
;
1461 new_rec
->c2skey_len
= old_rec
->c2skey_len
;
1462 new_rec
->c2skey
= old_rec
->c2skey
? (unsigned char *)g_memdup2(old_rec
->c2skey
, old_rec
->c2skey_len
) : NULL
;
1467 static void seskey_list_free_cb(void *r
)
1469 smb2_seskey_field_t
*rec
= (smb2_seskey_field_t
*)r
;
1472 g_free(rec
->seskey
);
1473 g_free(rec
->s2ckey
);
1474 g_free(rec
->c2skey
);
1477 static bool seskey_find_sid_key(uint64_t sesid
, uint8_t *out_seskey
,
1478 unsigned *out_seskey_len
,
1479 uint8_t *out_s2ckey16
,
1480 uint8_t *out_c2skey16
,
1481 uint8_t *out_s2ckey32
,
1482 uint8_t *out_c2skey32
)
1488 * The session IDs in the UAT are octet arrays, in little-endian
1489 * byte order (as it appears on the wire); they have been
1490 * checked to make sure they're 8 bytes (SMB_SESSION_ID_SIZE)
1491 * long. They're *probably* aligned on an appropriate boundary,
1492 * but let's not assume that - let's just use memcmp().
1494 * The session ID passed to us, however, is in *host* byte order.
1495 * This is *NOT* necessarily little-endian; it's big-endian on,
1496 * for example, System/390 and z/Architecture ("s390" and "s390x"
1497 * in Linuxland), SPARC, and most PowerPC systems. We must,
1498 * therefore, put it into little-endian byte order before
1499 * comparing it with the IDs in the UAT values.
1501 sesid_le
= GUINT64_TO_LE(sesid
);
1503 for (i
= 0; i
< num_seskey_list
; i
++) {
1504 const smb2_seskey_field_t
*p
= &seskey_list
[i
];
1505 if (memcmp(&sesid_le
, p
->id
, SMB_SESSION_ID_SIZE
) == 0) {
1506 *out_seskey_len
= 0;
1507 memset(out_seskey
, 0, NTLMSSP_KEY_LEN
*2);
1508 memset(out_s2ckey16
, 0, AES_KEY_SIZE
);
1509 memset(out_c2skey16
, 0, AES_KEY_SIZE
);
1510 memset(out_s2ckey32
, 0, AES_KEY_SIZE
*2);
1511 memset(out_c2skey32
, 0, AES_KEY_SIZE
*2);
1513 if (p
->seskey_len
> 0 && p
->seskey_len
<= NTLMSSP_KEY_LEN
*2) {
1514 memcpy(out_seskey
, p
->seskey
, p
->seskey_len
);
1515 *out_seskey_len
= p
->seskey_len
;
1517 if (p
->s2ckey_len
== AES_KEY_SIZE
)
1518 memcpy(out_s2ckey16
, p
->s2ckey
, p
->s2ckey_len
);
1519 if (p
->s2ckey_len
== AES_KEY_SIZE
*2)
1520 memcpy(out_s2ckey32
, p
->s2ckey
, p
->s2ckey_len
);
1521 if (p
->c2skey_len
== AES_KEY_SIZE
)
1522 memcpy(out_c2skey16
, p
->c2skey
, p
->c2skey_len
);
1523 if (p
->c2skey_len
== AES_KEY_SIZE
*2)
1524 memcpy(out_c2skey32
, p
->c2skey
, p
->c2skey_len
);
1533 /* ExportObject preferences variable */
1534 bool eosmb2_take_name_as_fid
= false ;
1536 /* unmatched smb_saved_info structures.
1537 For unmatched smb_saved_info structures we store the smb_saved_info
1538 structure using the msg_id field.
1541 smb2_saved_info_equal_unmatched(const void *k1
, const void *k2
)
1543 const smb2_saved_info_t
*key1
= (const smb2_saved_info_t
*)k1
;
1544 const smb2_saved_info_t
*key2
= (const smb2_saved_info_t
*)k2
;
1545 return key1
->msg_id
== key2
->msg_id
;
1548 smb2_saved_info_hash_unmatched(const void *k
)
1550 const smb2_saved_info_t
*key
= (const smb2_saved_info_t
*)k
;
1553 hash
= (uint32_t) (key
->msg_id
&0xffffffff);
1557 /* matched smb_saved_info structures.
1558 For matched smb_saved_info structures we store the smb_saved_info
1559 structure using the msg_id field.
1562 smb2_saved_info_equal_matched(const void *k1
, const void *k2
)
1564 const smb2_saved_info_t
*key1
= (const smb2_saved_info_t
*)k1
;
1565 const smb2_saved_info_t
*key2
= (const smb2_saved_info_t
*)k2
;
1566 return key1
->msg_id
== key2
->msg_id
;
1569 smb2_saved_info_hash_matched(const void *k
)
1571 const smb2_saved_info_t
*key
= (const smb2_saved_info_t
*)k
;
1574 hash
= (uint32_t) (key
->msg_id
&0xffffffff);
1578 /* For Tids of a specific conversation.
1579 This keeps track of tid->sharename mappings and other information about the
1582 We might need to refine this if it occurs that tids are reused on a single
1583 conversation. we don't worry about that yet for simplicity
1586 smb2_tid_info_equal(const void *k1
, const void *k2
)
1588 const smb2_tid_info_t
*key1
= (const smb2_tid_info_t
*)k1
;
1589 const smb2_tid_info_t
*key2
= (const smb2_tid_info_t
*)k2
;
1590 return key1
->tid
== key2
->tid
;
1593 smb2_tid_info_hash(const void *k
)
1595 const smb2_tid_info_t
*key
= (const smb2_tid_info_t
*)k
;
1602 /* For Uids of a specific conversation.
1603 This keeps track of uid->acct_name mappings and other information about the
1606 We might need to refine this if it occurs that uids are reused on a single
1607 conversation. we don't worry about that yet for simplicity
1610 smb2_sesid_info_equal(const void *k1
, const void *k2
)
1612 const smb2_sesid_info_t
*key1
= (const smb2_sesid_info_t
*)k1
;
1613 const smb2_sesid_info_t
*key2
= (const smb2_sesid_info_t
*)k2
;
1614 return key1
->sesid
== key2
->sesid
;
1617 smb2_sesid_info_hash(const void *k
)
1619 const smb2_sesid_info_t
*key
= (const smb2_sesid_info_t
*)k
;
1622 hash
= (uint32_t)( ((key
->sesid
>>32)&0xffffffff)+((key
->sesid
)&0xffffffff) );
1627 * For File IDs of a specific conversation.
1628 * This keeps track of fid to name mapping and application level conversations
1631 * This handles implementation bugs, where the fid_persitent is 0 or
1632 * the fid_persitent/fid_volative is not unique per conversation.
1635 smb2_fid_info_equal(const void *k1
, const void *k2
)
1637 const smb2_fid_info_t
*key
= (const smb2_fid_info_t
*)k1
;
1638 const smb2_fid_info_t
*val
= (const smb2_fid_info_t
*)k2
;
1640 if (!key
->frame_key
) {
1641 key
= (const smb2_fid_info_t
*)k2
;
1642 val
= (const smb2_fid_info_t
*)k1
;
1645 if (key
->fid_persistent
!= val
->fid_persistent
) {
1649 if (key
->fid_volatile
!= val
->fid_volatile
) {
1653 if (key
->sesid
!= val
->sesid
) {
1657 if (key
->tid
!= val
->tid
) {
1661 if (!(val
->frame_beg
<= key
->frame_key
&& key
->frame_key
<= val
->frame_end
)) {
1669 smb2_fid_info_hash(const void *k
)
1671 const smb2_fid_info_t
*key
= (const smb2_fid_info_t
*)k
;
1674 if (key
->fid_persistent
!= 0) {
1675 hash
= (uint32_t)( ((key
->fid_persistent
>>32)&0xffffffff)+((key
->fid_persistent
)&0xffffffff) );
1677 hash
= (uint32_t)( ((key
->fid_volatile
>>32)&0xffffffff)+((key
->fid_volatile
)&0xffffffff) );
1683 /* Callback for destroying the glib hash tables associated with a conversation
1686 smb2_conv_destroy(wmem_allocator_t
*allocator _U_
, wmem_cb_event_t event _U_
,
1689 smb2_conv_info_t
*conv
= (smb2_conv_info_t
*)user_data
;
1691 g_hash_table_destroy(conv
->matched
);
1692 g_hash_table_destroy(conv
->unmatched
);
1694 /* This conversation is gone, return false to indicate we don't
1695 * want to be called again for this conversation. */
1699 static smb2_sesid_info_t
*
1700 smb2_get_session(smb2_conv_info_t
*conv _U_
, uint64_t id
, packet_info
*pinfo
, smb2_info_t
*si
)
1702 smb2_sesid_info_t key
= {.sesid
= id
};
1703 smb2_sesid_info_t
*ses
= (smb2_sesid_info_t
*)wmem_map_lookup(smb2_sessions
, &key
);
1706 ses
= wmem_new0(wmem_file_scope(), smb2_sesid_info_t
);
1708 ses
->auth_frame
= (uint32_t)-1;
1709 ses
->tids
= wmem_map_new(wmem_file_scope(), smb2_tid_info_hash
, smb2_tid_info_equal
);
1710 ses
->fids
= wmem_map_new(wmem_file_scope(), smb2_fid_info_hash
, smb2_fid_info_equal
);
1711 ses
->files
= wmem_map_new(wmem_file_scope(), smb2_eo_files_hash
, smb2_eo_files_equal
);
1713 ses
->session_key_frame
= UINT32_MAX
;
1714 seskey_find_sid_key(id
,
1716 &ses
->session_key_len
,
1717 ses
->client_decryption_key16
,
1718 ses
->server_decryption_key16
,
1719 ses
->client_decryption_key32
,
1720 ses
->server_decryption_key32
);
1722 if (ses
->session_key_len
!= 0) {
1723 ses
->session_key_frame
= pinfo
->num
;
1725 if (si
->flags
& SMB2_FLAGS_RESPONSE
) {
1726 ses
->server_port
= pinfo
->srcport
;
1728 ses
->server_port
= pinfo
->destport
;
1731 wmem_map_insert(smb2_sessions
, ses
, ses
);
1738 smb2_add_session_info(proto_tree
*ses_tree
, proto_item
*ses_item
, tvbuff_t
*tvb
, int start
, smb2_sesid_info_t
*ses
)
1740 proto_item
*new_item
;
1744 if (ses
->acct_name
) {
1745 new_item
= proto_tree_add_string(ses_tree
, hf_smb2_acct_name
, tvb
, start
, 0, ses
->acct_name
);
1746 proto_item_set_generated(new_item
);
1747 proto_item_append_text(ses_item
, " Acct:%s", ses
->acct_name
);
1750 if (ses
->domain_name
) {
1751 new_item
= proto_tree_add_string(ses_tree
, hf_smb2_domain_name
, tvb
, start
, 0, ses
->domain_name
);
1752 proto_item_set_generated(new_item
);
1753 proto_item_append_text(ses_item
, " Domain:%s", ses
->domain_name
);
1756 if (ses
->host_name
) {
1757 new_item
= proto_tree_add_string(ses_tree
, hf_smb2_host_name
, tvb
, start
, 0, ses
->host_name
);
1758 proto_item_set_generated(new_item
);
1759 proto_item_append_text(ses_item
, " Host:%s", ses
->host_name
);
1762 if (ses
->auth_frame
!= (uint32_t)-1) {
1763 new_item
= proto_tree_add_uint(ses_tree
, hf_smb2_auth_frame
, tvb
, start
, 0, ses
->auth_frame
);
1764 proto_item_set_generated(new_item
);
1768 static void smb2_key_derivation(const uint8_t *KI
, uint32_t KI_len
,
1769 const uint8_t *Label
, uint32_t Label_len
,
1770 const uint8_t *Context
, uint32_t Context_len
,
1771 uint8_t *KO
, uint32_t KO_len
)
1773 gcry_md_hd_t hd
= NULL
;
1775 uint8_t *digest
= NULL
;
1779 * a simplified version of
1780 * "NIST Special Publication 800-108" section 5.1
1781 * using hmac-sha256.
1783 /* XXX This routine should indicate a success/failure indication, so that the failure of gcry_md_open()
1784 * can be reported to the caller.
1786 if (gcry_md_open(&hd
, GCRY_MD_SHA256
, GCRY_MD_FLAG_HMAC
) != 0)
1788 gcry_md_setkey(hd
, KI
, KI_len
);
1790 memset(buf
, 0, sizeof(buf
));
1792 gcry_md_write(hd
, buf
, sizeof(buf
));
1793 gcry_md_write(hd
, Label
, Label_len
);
1794 gcry_md_write(hd
, buf
, 1);
1795 gcry_md_write(hd
, Context
, Context_len
);
1797 memset(buf
, 0, sizeof(buf
));
1798 buf
[3] = ((L
) >> (0)) & 0xff;
1799 buf
[2] = ((L
) >> (8)) & 0xff;
1800 gcry_md_write(hd
, buf
, sizeof(buf
));
1802 digest
= gcry_md_read(hd
, GCRY_MD_SHA256
);
1804 memcpy(KO
, digest
, KO_len
);
1809 /* for export-object-smb2 */
1810 static char *policy_hnd_to_file_id(wmem_allocator_t
*pool
, const e_ctx_hnd
*hnd
) {
1811 return guid_to_str(pool
, &hnd
->uuid
);
1813 static unsigned smb2_eo_files_hash(const void *k
) {
1814 return g_str_hash(policy_hnd_to_file_id(wmem_packet_scope(), (const e_ctx_hnd
*)k
));
1816 static int smb2_eo_files_equal(const void *k1
, const void *k2
) {
1818 const e_ctx_hnd
*key1
= (const e_ctx_hnd
*)k1
;
1819 const e_ctx_hnd
*key2
= (const e_ctx_hnd
*)k2
;
1821 are_equal
= (key1
->uuid
.data1
==key2
->uuid
.data1
&&
1822 key1
->uuid
.data2
==key2
->uuid
.data2
&&
1823 key1
->uuid
.data3
==key2
->uuid
.data3
&&
1824 key1
->uuid
.data4
[0]==key2
->uuid
.data4
[0] &&
1825 key1
->uuid
.data4
[1]==key2
->uuid
.data4
[1] &&
1826 key1
->uuid
.data4
[2]==key2
->uuid
.data4
[2] &&
1827 key1
->uuid
.data4
[3]==key2
->uuid
.data4
[3] &&
1828 key1
->uuid
.data4
[4]==key2
->uuid
.data4
[4] &&
1829 key1
->uuid
.data4
[5]==key2
->uuid
.data4
[5] &&
1830 key1
->uuid
.data4
[6]==key2
->uuid
.data4
[6] &&
1831 key1
->uuid
.data4
[7]==key2
->uuid
.data4
[7]);
1837 feed_eo_smb2(tvbuff_t
* tvb
,packet_info
*pinfo
,smb2_info_t
* si
, uint16_t dataoffset
,uint32_t length
, uint64_t file_offset
) {
1839 char *fid_name
= NULL
;
1840 uint32_t open_frame
= 0, close_frame
= 0;
1841 tvbuff_t
*data_tvb
= NULL
;
1845 char **aux_string_v
;
1847 /* Create a new tvb to point to the payload data */
1848 data_tvb
= tvb_new_subset_length(tvb
, dataoffset
, length
);
1849 /* Create the eo_info to pass to the listener */
1850 eo_info
= wmem_new(pinfo
->pool
, smb_eo_t
);
1851 /* Fill in eo_info */
1852 eo_info
->smbversion
=2;
1854 eo_info
->cmd
=si
->opcode
;
1855 /* We don't keep track of uid in SMB v2 */
1858 /* Try to get file id and filename */
1859 file_id
=policy_hnd_to_file_id(pinfo
->pool
, &si
->saved
->policy_hnd
);
1860 dcerpc_fetch_polhnd_data(&si
->saved
->policy_hnd
, &fid_name
, NULL
, &open_frame
, &close_frame
, pinfo
->num
);
1861 if (fid_name
&& g_strcmp0(fid_name
,"File: ")!=0) {
1863 /* Remove "File: " from filename */
1864 if (g_str_has_prefix(auxstring
, "File: ")) {
1865 aux_string_v
= g_strsplit(auxstring
, "File: ", -1);
1866 eo_info
->filename
= wmem_strdup_printf(pinfo
->pool
, "\\%s",aux_string_v
[g_strv_length(aux_string_v
)-1]);
1867 g_strfreev(aux_string_v
);
1869 if (g_str_has_prefix(auxstring
, "\\")) {
1870 eo_info
->filename
= wmem_strdup(pinfo
->pool
, auxstring
);
1872 eo_info
->filename
= wmem_strdup_printf(pinfo
->pool
, "\\%s",auxstring
);
1876 auxstring
=wmem_strdup_printf(pinfo
->pool
, "File_Id_%s", file_id
);
1877 eo_info
->filename
=auxstring
;
1882 if (eosmb2_take_name_as_fid
) {
1883 eo_info
->fid
= g_str_hash(eo_info
->filename
);
1885 eo_info
->fid
= g_str_hash(file_id
);
1888 /* tid, hostname, tree_id */
1890 eo_info
->tid
=si
->tree
->tid
;
1891 if (strlen(si
->tree
->name
)>0 && strlen(si
->tree
->name
)<=256) {
1892 eo_info
->hostname
= wmem_strdup(pinfo
->pool
, si
->tree
->name
);
1894 eo_info
->hostname
= wmem_strdup_printf(pinfo
->pool
, "\\\\%s\\TREEID_%i",tree_ip_str(pinfo
,si
->opcode
),si
->tree
->tid
);
1898 eo_info
->hostname
= wmem_strdup_printf(pinfo
->pool
, "\\\\%s\\TREEID_UNKNOWN",tree_ip_str(pinfo
,si
->opcode
));
1902 eo_info
->pkt_num
= pinfo
->num
;
1905 if (si
->eo_file_info
->attr_mask
& SMB2_FLAGS_ATTR_DIRECTORY
) {
1906 eo_info
->fid_type
=SMB2_FID_TYPE_DIR
;
1908 if (si
->eo_file_info
->attr_mask
&
1909 (SMB2_FLAGS_ATTR_ARCHIVE
| SMB2_FLAGS_ATTR_NORMAL
|
1910 SMB2_FLAGS_ATTR_HIDDEN
| SMB2_FLAGS_ATTR_READONLY
|
1911 SMB2_FLAGS_ATTR_SYSTEM
) ) {
1912 eo_info
->fid_type
=SMB2_FID_TYPE_FILE
;
1914 eo_info
->fid_type
=SMB2_FID_TYPE_OTHER
;
1919 eo_info
->end_of_file
=si
->eo_file_info
->end_of_file
;
1921 /* data offset and chunk length */
1922 eo_info
->smb_file_offset
=file_offset
;
1923 eo_info
->smb_chunk_len
=length
;
1924 /* XXX is this right? */
1925 if (length
<si
->saved
->bytes_moved
) {
1926 si
->saved
->file_offset
=si
->saved
->file_offset
+length
;
1927 si
->saved
->bytes_moved
=si
->saved
->bytes_moved
-length
;
1931 eo_info
->payload_len
= length
;
1932 eo_info
->payload_data
= tvb_get_ptr(data_tvb
, 0, length
);
1934 tap_queue_packet(smb2_eo_tap
, pinfo
, eo_info
);
1938 static int dissect_smb2_file_full_ea_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si
);
1941 /* This is a helper to dissect the common string type
1947 * This function is called twice, first to decode the offset/length and
1948 * second time to dissect the actual string.
1949 * It is done this way since there is no guarantee that we have the full packet and we don't
1950 * want to abort dissection too early if the packet ends somewhere between the
1951 * length/offset and the actual buffer.
1954 enum offset_length_buffer_offset_size
{
1955 OLB_O_UINT16_S_UINT16
,
1956 OLB_O_UINT16_S_UINT32
,
1957 OLB_O_UINT8_P_UINT8_S_UINT32
,
1958 OLB_O_UINT32_S_UINT32
,
1959 OLB_S_UINT32_O_UINT32
1961 typedef struct _offset_length_buffer_t
{
1966 enum offset_length_buffer_offset_size offset_size
;
1968 } offset_length_buffer_t
;
1970 dissect_smb2_olb_length_offset(tvbuff_t
*tvb
, int offset
, offset_length_buffer_t
*olb
,
1971 enum offset_length_buffer_offset_size offset_size
, int hfindex
)
1973 olb
->hfindex
= hfindex
;
1974 olb
->offset_size
= offset_size
;
1975 switch (offset_size
) {
1976 case OLB_O_UINT16_S_UINT16
:
1977 olb
->off
= tvb_get_letohs(tvb
, offset
);
1978 olb
->off_offset
= offset
;
1980 olb
->len
= tvb_get_letohs(tvb
, offset
);
1981 olb
->len_offset
= offset
;
1984 case OLB_O_UINT16_S_UINT32
:
1985 olb
->off
= tvb_get_letohs(tvb
, offset
);
1986 olb
->off_offset
= offset
;
1988 olb
->len
= tvb_get_letohl(tvb
, offset
);
1989 olb
->len_offset
= offset
;
1992 case OLB_O_UINT8_P_UINT8_S_UINT32
:
1993 olb
->off
= tvb_get_uint8(tvb
, offset
);
1994 olb
->off_offset
= offset
;
1996 /* 1 byte reserved */
1998 olb
->len
= tvb_get_letohl(tvb
, offset
);
1999 olb
->len_offset
= offset
;
2002 case OLB_O_UINT32_S_UINT32
:
2003 olb
->off
= tvb_get_letohl(tvb
, offset
);
2004 olb
->off_offset
= offset
;
2006 olb
->len
= tvb_get_letohl(tvb
, offset
);
2007 olb
->len_offset
= offset
;
2010 case OLB_S_UINT32_O_UINT32
:
2011 olb
->len
= tvb_get_letohl(tvb
, offset
);
2012 olb
->len_offset
= offset
;
2014 olb
->off
= tvb_get_letohl(tvb
, offset
);
2015 olb
->off_offset
= offset
;
2023 #define OLB_TYPE_UNICODE_STRING 0x01
2024 #define OLB_TYPE_ASCII_STRING 0x02
2025 static const uint8_t *
2026 dissect_smb2_olb_off_string(packet_info
*pinfo
, proto_tree
*parent_tree
, tvbuff_t
*tvb
, offset_length_buffer_t
*olb
, int base
, int type
)
2029 proto_item
*item
= NULL
;
2030 proto_tree
*tree
= NULL
;
2031 const uint8_t *name
= NULL
;
2040 tvb_ensure_bytes_exist(tvb
, off
, len
);
2042 || ((off
+len
)>(off
+tvb_reported_length_remaining(tvb
, off
)))) {
2043 proto_tree_add_expert_format(tree
, pinfo
, &ei_smb2_invalid_length
, tvb
, off
, -1,
2044 "Invalid offset/length. Malformed packet");
2046 col_append_str(pinfo
->cinfo
, COL_INFO
, " [Malformed packet]");
2053 case OLB_TYPE_UNICODE_STRING
:
2054 item
= proto_tree_add_item_ret_string(parent_tree
,
2055 olb
->hfindex
, tvb
, off
, len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
,
2056 pinfo
->pool
, &name
);
2057 tree
= proto_item_add_subtree(item
, ett_smb2_olb
);
2059 case OLB_TYPE_ASCII_STRING
:
2060 item
= proto_tree_add_item_ret_string(parent_tree
,
2061 olb
->hfindex
, tvb
, off
, len
, ENC_ASCII
|ENC_NA
,
2062 pinfo
->pool
, &name
);
2063 tree
= proto_item_add_subtree(item
, ett_smb2_olb
);
2067 switch (olb
->offset_size
) {
2068 case OLB_O_UINT16_S_UINT16
:
2069 proto_tree_add_item(tree
, hf_smb2_olb_offset
, tvb
, olb
->off_offset
, 2, ENC_LITTLE_ENDIAN
);
2070 proto_tree_add_item(tree
, hf_smb2_olb_length
, tvb
, olb
->len_offset
, 2, ENC_LITTLE_ENDIAN
);
2072 case OLB_O_UINT16_S_UINT32
:
2073 proto_tree_add_item(tree
, hf_smb2_olb_offset
, tvb
, olb
->off_offset
, 2, ENC_LITTLE_ENDIAN
);
2074 proto_tree_add_item(tree
, hf_smb2_olb_length
, tvb
, olb
->len_offset
, 4, ENC_LITTLE_ENDIAN
);
2076 case OLB_O_UINT8_P_UINT8_S_UINT32
:
2077 proto_tree_add_item(tree
, hf_smb2_olb_offset
, tvb
, olb
->off_offset
, 1, ENC_NA
);
2078 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, olb
->off_offset
+1, 1, ENC_NA
);
2079 proto_tree_add_item(tree
, hf_smb2_olb_length
, tvb
, olb
->len_offset
, 4, ENC_LITTLE_ENDIAN
);
2081 case OLB_O_UINT32_S_UINT32
:
2082 proto_tree_add_item(tree
, hf_smb2_olb_offset
, tvb
, olb
->off_offset
, 4, ENC_LITTLE_ENDIAN
);
2083 proto_tree_add_item(tree
, hf_smb2_olb_length
, tvb
, olb
->len_offset
, 4, ENC_LITTLE_ENDIAN
);
2085 case OLB_S_UINT32_O_UINT32
:
2086 proto_tree_add_item(tree
, hf_smb2_olb_length
, tvb
, olb
->len_offset
, 4, ENC_LITTLE_ENDIAN
);
2087 proto_tree_add_item(tree
, hf_smb2_olb_offset
, tvb
, olb
->off_offset
, 4, ENC_LITTLE_ENDIAN
);
2094 static const uint8_t *
2095 dissect_smb2_olb_string(packet_info
*pinfo
, proto_tree
*parent_tree
, tvbuff_t
*tvb
, offset_length_buffer_t
*olb
, int type
)
2097 return dissect_smb2_olb_off_string(pinfo
, parent_tree
, tvb
, olb
, 0, type
);
2101 dissect_smb2_olb_buffer(packet_info
*pinfo
, proto_tree
*parent_tree
, tvbuff_t
*tvb
,
2102 offset_length_buffer_t
*olb
, smb2_info_t
*si
,
2103 void (*dissector
)(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
))
2106 proto_item
*sub_item
= NULL
;
2107 proto_tree
*sub_tree
= NULL
;
2108 tvbuff_t
*sub_tvb
= NULL
;
2116 tvb_ensure_bytes_exist(tvb
, off
, len
);
2118 || ((off
+len
)>(off
+tvb_reported_length_remaining(tvb
, off
)))) {
2119 proto_tree_add_expert_format(parent_tree
, pinfo
, &ei_smb2_invalid_length
, tvb
, offset
, -1,
2120 "Invalid offset/length. Malformed packet");
2122 col_append_str(pinfo
->cinfo
, COL_INFO
, " [Malformed packet]");
2127 switch (olb
->offset_size
) {
2128 case OLB_O_UINT16_S_UINT16
:
2129 proto_tree_add_item(parent_tree
, hf_smb2_olb_offset
, tvb
, olb
->off_offset
, 2, ENC_LITTLE_ENDIAN
);
2130 proto_tree_add_item(parent_tree
, hf_smb2_olb_length
, tvb
, olb
->len_offset
, 2, ENC_LITTLE_ENDIAN
);
2132 case OLB_O_UINT16_S_UINT32
:
2133 proto_tree_add_item(parent_tree
, hf_smb2_olb_offset
, tvb
, olb
->off_offset
, 2, ENC_LITTLE_ENDIAN
);
2134 proto_tree_add_item(parent_tree
, hf_smb2_olb_length
, tvb
, olb
->len_offset
, 4, ENC_LITTLE_ENDIAN
);
2136 case OLB_O_UINT8_P_UINT8_S_UINT32
:
2137 proto_tree_add_item(parent_tree
, hf_smb2_olb_offset
, tvb
, olb
->off_offset
, 1, ENC_NA
);
2138 proto_tree_add_item(parent_tree
, hf_smb2_reserved
, tvb
, olb
->off_offset
+1, 1, ENC_NA
);
2139 proto_tree_add_item(parent_tree
, hf_smb2_olb_length
, tvb
, olb
->len_offset
, 4, ENC_LITTLE_ENDIAN
);
2141 case OLB_O_UINT32_S_UINT32
:
2142 proto_tree_add_item(parent_tree
, hf_smb2_olb_offset
, tvb
, olb
->off_offset
, 4, ENC_LITTLE_ENDIAN
);
2143 proto_tree_add_item(parent_tree
, hf_smb2_olb_length
, tvb
, olb
->len_offset
, 4, ENC_LITTLE_ENDIAN
);
2145 case OLB_S_UINT32_O_UINT32
:
2146 proto_tree_add_item(parent_tree
, hf_smb2_olb_length
, tvb
, olb
->len_offset
, 4, ENC_LITTLE_ENDIAN
);
2147 proto_tree_add_item(parent_tree
, hf_smb2_olb_offset
, tvb
, olb
->off_offset
, 4, ENC_LITTLE_ENDIAN
);
2151 /* if we don't want/need a subtree */
2152 if (olb
->hfindex
== -1) {
2153 sub_item
= parent_tree
;
2154 sub_tree
= parent_tree
;
2157 sub_item
= proto_tree_add_item(parent_tree
, olb
->hfindex
, tvb
, offset
, len
, ENC_NA
);
2158 sub_tree
= proto_item_add_subtree(sub_item
, ett_smb2_olb
);
2162 if (off
== 0 || len
== 0) {
2163 proto_item_append_text(sub_item
, ": NO DATA");
2171 sub_tvb
= tvb_new_subset_length_caplen(tvb
, off
, MIN((int)len
, tvb_captured_length_remaining(tvb
, off
)), len
);
2173 dissector(sub_tvb
, pinfo
, sub_tree
, si
);
2177 dissect_smb2_olb_tvb_max_offset(int offset
, offset_length_buffer_t
*olb
)
2179 if (olb
->off
== 0) {
2182 return MAX(offset
, (int)(olb
->off
+ olb
->len
));
2185 typedef struct _smb2_function
{
2186 int (*request
) (tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
);
2187 int (*response
)(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
);
2190 static const true_false_string tfs_smb2_svhdx_has_initiator_id
= {
2191 "Has an initiator id",
2192 "Does not have an initiator id"
2195 static const true_false_string tfs_flags_response
= {
2196 "This is a RESPONSE",
2200 static const true_false_string tfs_flags_async_cmd
= {
2201 "This is an ASYNC command",
2202 "This is a SYNC command"
2205 static const true_false_string tfs_flags_dfs_op
= {
2206 "This is a DFS OPERATION",
2207 "This is a normal operation"
2210 static const true_false_string tfs_flags_chained
= {
2211 "This pdu is a CHAINED command",
2212 "This pdu is NOT a chained command"
2215 static const true_false_string tfs_flags_signature
= {
2216 "This pdu is SIGNED",
2217 "This pdu is NOT signed"
2220 static const true_false_string tfs_flags_replay_operation
= {
2221 "This is a REPLAY OPERATION",
2222 "This is NOT a replay operation"
2225 static const true_false_string tfs_flags_priority_mask
= {
2226 "This pdu contains a PRIORITY",
2227 "This pdu does NOT contain a PRIORITY"
2230 static const true_false_string tfs_cap_dfs
= {
2231 "This host supports DFS",
2232 "This host does NOT support DFS"
2235 static const true_false_string tfs_cap_leasing
= {
2236 "This host supports LEASING",
2237 "This host does NOT support LEASING"
2240 static const true_false_string tfs_cap_large_mtu
= {
2241 "This host supports LARGE_MTU",
2242 "This host does NOT support LARGE_MTU"
2245 static const true_false_string tfs_cap_multi_channel
= {
2246 "This host supports MULTI CHANNEL",
2247 "This host does NOT support MULTI CHANNEL"
2250 static const true_false_string tfs_cap_persistent_handles
= {
2251 "This host supports PERSISTENT HANDLES",
2252 "This host does NOT support PERSISTENT HANDLES"
2255 static const true_false_string tfs_cap_directory_leasing
= {
2256 "This host supports DIRECTORY LEASING",
2257 "This host does NOT support DIRECTORY LEASING"
2260 static const true_false_string tfs_cap_encryption
= {
2261 "This host supports ENCRYPTION",
2262 "This host does NOT support ENCRYPTION"
2265 static const true_false_string tfs_cap_notifications
= {
2266 "This host supports receiving NOTIFICATIONS",
2267 "This host does NOT support receiving NOTIFICATIONS"
2270 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rss
= {
2271 "This interface supports RSS",
2272 "This interface does not support RSS"
2275 static const true_false_string tfs_smb2_ioctl_network_interface_capability_rdma
= {
2276 "This interface supports RDMA",
2277 "This interface does not support RDMA"
2280 static const value_string file_region_usage_vals
[] = {
2281 { 0x00000001, "FILE_REGION_USAGE_VALID_CACHED_DATA" },
2285 static const value_string originator_flags_vals
[] = {
2286 { 1, "SVHDX_ORIGINATOR_PVHDPARSER" },
2287 { 4, "SVHDX_ORIGINATOR_VHDMP" },
2291 static const value_string compression_format_vals
[] = {
2292 { 0, "COMPRESSION_FORMAT_NONE" },
2293 { 1, "COMPRESSION_FORMAT_DEFAULT" },
2294 { 2, "COMPRESSION_FORMAT_LZNT1" },
2298 static const value_string checksum_algorithm_vals
[] = {
2299 { 0x0000, "CHECKSUM_TYPE_NONE" },
2300 { 0x0002, "CHECKSUM_TYPE_CRC64" },
2301 { 0xFFFF, "CHECKSUM_TYPE_UNCHANGED" },
2305 /* Note: All uncommented are "dissector not implemented" */
2306 static const value_string smb2_ioctl_vals
[] = {
2307 {0x00060194, "FSCTL_DFS_GET_REFERRALS"}, /* dissector implemented */
2308 {0x000601B0, "FSCTL_DFS_GET_REFERRALS_EX"},
2309 {0x00090000, "FSCTL_REQUEST_OPLOCK_LEVEL_1"},
2310 {0x00090004, "FSCTL_REQUEST_OPLOCK_LEVEL_2"},
2311 {0x00090008, "FSCTL_REQUEST_BATCH_OPLOCK"},
2312 {0x0009000C, "FSCTL_OPLOCK_BREAK_ACKNOWLEDGE"},
2313 {0x00090010, "FSCTL_OPBATCH_ACK_CLOSE_PENDING"},
2314 {0x00090014, "FSCTL_OPLOCK_BREAK_NOTIFY"},
2315 {0x00090018, "FSCTL_LOCK_VOLUME"},
2316 {0x0009001C, "FSCTL_UNLOCK_VOLUME"},
2317 {0x00090020, "FSCTL_DISMOUNT_VOLUME"},
2318 {0x00090028, "FSCTL_IS_VOLUME_MOUNTED"},
2319 {0x0009002C, "FSCTL_IS_PATHNAME_VALID"},
2320 {0x00090030, "FSCTL_MARK_VOLUME_DIRTY"},
2321 {0x0009003B, "FSCTL_QUERY_RETRIEVAL_POINTERS"},
2322 {0x0009003C, "FSCTL_GET_COMPRESSION"}, /* dissector implemented */
2323 {0x0009004F, "FSCTL_MARK_AS_SYSTEM_HIVE"},
2324 {0x00090050, "FSCTL_OPLOCK_BREAK_ACK_NO_2"},
2325 {0x00090054, "FSCTL_INVALIDATE_VOLUMES"},
2326 {0x00090058, "FSCTL_QUERY_FAT_BPB"},
2327 {0x0009005C, "FSCTL_REQUEST_FILTER_OPLOCK"},
2328 {0x00090060, "FSCTL_FILESYSTEM_GET_STATISTICS"},
2329 {0x00090064, "FSCTL_GET_NTFS_VOLUME_DATA"},
2330 {0x00090068, "FSCTL_GET_NTFS_FILE_RECORD"},
2331 {0x0009006F, "FSCTL_GET_VOLUME_BITMAP"},
2332 {0x00090073, "FSCTL_GET_RETRIEVAL_POINTERS"},
2333 {0x00090074, "FSCTL_MOVE_FILE"},
2334 {0x00090078, "FSCTL_IS_VOLUME_DIRTY"},
2335 {0x0009007C, "FSCTL_GET_HFS_INFORMATION"},
2336 {0x00090083, "FSCTL_ALLOW_EXTENDED_DASD_IO"},
2337 {0x00090087, "FSCTL_READ_PROPERTY_DATA"},
2338 {0x0009008B, "FSCTL_WRITE_PROPERTY_DATA"},
2339 {0x0009008F, "FSCTL_FIND_FILES_BY_SID"},
2340 {0x00090097, "FSCTL_DUMP_PROPERTY_DATA"},
2341 {0x0009009C, "FSCTL_GET_OBJECT_ID"}, /* dissector implemented */
2342 {0x000900A4, "FSCTL_SET_REPARSE_POINT"}, /* dissector implemented */
2343 {0x000900A8, "FSCTL_GET_REPARSE_POINT"}, /* dissector implemented */
2344 {0x000900C0, "FSCTL_CREATE_OR_GET_OBJECT_ID"}, /* dissector implemented */
2345 {0x000900C4, "FSCTL_SET_SPARSE"}, /* dissector implemented */
2346 {0x000900D4, "FSCTL_SET_ENCRYPTION"},
2347 {0x000900DB, "FSCTL_ENCRYPTION_FSCTL_IO"},
2348 {0x000900DF, "FSCTL_WRITE_RAW_ENCRYPTED"},
2349 {0x000900E3, "FSCTL_READ_RAW_ENCRYPTED"},
2350 {0x000900F0, "FSCTL_EXTEND_VOLUME"},
2351 {0x00090244, "FSCTL_CSV_TUNNEL_REQUEST"},
2352 {0x0009027C, "FSCTL_GET_INTEGRITY_INFORMATION"},
2353 {0x00090284, "FSCTL_QUERY_FILE_REGIONS"}, /* dissector implemented */
2354 {0x000902c8, "FSCTL_CSV_SYNC_TUNNEL_REQUEST"},
2355 {0x00090300, "FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT"}, /* dissector implemented */
2356 {0x00090304, "FSCTL_SVHDX_SYNC_TUNNEL_REQUEST"}, /* dissector implemented */
2357 {0x00090308, "FSCTL_SVHDX_SET_INITIATOR_INFORMATION"},
2358 {0x0009030C, "FSCTL_SET_EXTERNAL_BACKING"},
2359 {0x00090310, "FSCTL_GET_EXTERNAL_BACKING"},
2360 {0x00090314, "FSCTL_DELETE_EXTERNAL_BACKING"},
2361 {0x00090318, "FSCTL_ENUM_EXTERNAL_BACKING"},
2362 {0x0009031F, "FSCTL_ENUM_OVERLAY"},
2363 {0x00090350, "FSCTL_STORAGE_QOS_CONTROL"}, /* dissector implemented */
2364 {0x00090364, "FSCTL_SVHDX_ASYNC_TUNNEL_REQUEST"}, /* dissector implemented */
2365 {0x00090380, "FSCTL_SET_INTEGRITY_INFORMATION_EX"}, /* dissector implemented */
2366 {0x00090440, "FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT"}, /* dissector implemented */
2367 {0x000940B3, "FSCTL_ENUM_USN_DATA"},
2368 {0x000940B7, "FSCTL_SECURITY_ID_CHECK"},
2369 {0x000940BB, "FSCTL_READ_USN_JOURNAL"},
2370 {0x000940CF, "FSCTL_QUERY_ALLOCATED_RANGES"}, /* dissector implemented */
2371 {0x000940E7, "FSCTL_CREATE_USN_JOURNAL"},
2372 {0x000940EB, "FSCTL_READ_FILE_USN_DATA"},
2373 {0x000940EF, "FSCTL_WRITE_USN_CLOSE_RECORD"},
2374 {0x00094264, "FSCTL_OFFLOAD_READ"}, /* dissector implemented */
2375 {0x00098098, "FSCTL_SET_OBJECT_ID"}, /* dissector implemented */
2376 {0x000980A0, "FSCTL_DELETE_OBJECT_ID"}, /* no data in/out */
2377 {0x000980A4, "FSCTL_SET_REPARSE_POINT"},
2378 {0x000980AC, "FSCTL_DELETE_REPARSE_POINT"},
2379 {0x000980BC, "FSCTL_SET_OBJECT_ID_EXTENDED"}, /* dissector implemented */
2380 {0x000980C8, "FSCTL_SET_ZERO_DATA"}, /* dissector implemented */
2381 {0x000980D0, "FSCTL_ENABLE_UPGRADE"},
2382 {0x00098208, "FSCTL_FILE_LEVEL_TRIM"},
2383 {0x00098268, "FSCTL_OFFLOAD_WRITE"}, /* dissector implemented */
2384 {0x0009C040, "FSCTL_SET_COMPRESSION"}, /* dissector implemented */
2385 {0x0009C280, "FSCTL_SET_INTEGRITY_INFORMATION"}, /* dissector implemented */
2386 {0x00110018, "FSCTL_PIPE_WAIT"}, /* dissector implemented */
2387 {0x0011400C, "FSCTL_PIPE_PEEK"},
2388 {0x0011C017, "FSCTL_PIPE_TRANSCEIVE"}, /* dissector implemented */
2389 {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
2390 {0x001401D4, "FSCTL_LMR_REQUEST_RESILIENCY"}, /* dissector implemented */
2391 {0x001401FC, "FSCTL_QUERY_NETWORK_INTERFACE_INFO"}, /* dissector implemented */
2392 {0x00140200, "FSCTL_VALIDATE_NEGOTIATE_INFO_224"}, /* dissector implemented */
2393 {0x00140204, "FSCTL_VALIDATE_NEGOTIATE_INFO"}, /* dissector implemented */
2394 {0x00144064, "FSCTL_SRV_ENUMERATE_SNAPSHOTS"}, /* dissector implemented */
2395 {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
2396 {0x001441bb, "FSCTL_SRV_READ_HASH"},
2397 {0x001480F2, "FSCTL_SRV_COPYCHUNK_WRITE"},
2400 static value_string_ext smb2_ioctl_vals_ext
= VALUE_STRING_EXT_INIT(smb2_ioctl_vals
);
2402 static const value_string smb2_ioctl_device_vals
[] = {
2404 { 0x0002, "CD_ROM" },
2405 { 0x0003, "CD_ROM_FILE_SYSTEM" },
2406 { 0x0004, "CONTROLLER" },
2407 { 0x0005, "DATALINK" },
2410 { 0x0008, "DISK_FILE_SYSTEM" },
2411 { 0x0009, "FILE_SYSTEM" },
2412 { 0x000a, "INPORT_PORT" },
2413 { 0x000b, "KEYBOARD" },
2414 { 0x000c, "MAILSLOT" },
2415 { 0x000d, "MIDI_IN" },
2416 { 0x000e, "MIDI_OUT" },
2417 { 0x000f, "MOUSE" },
2418 { 0x0010, "MULTI_UNC_PROVIDER" },
2419 { 0x0011, "NAMED_PIPE" },
2420 { 0x0012, "NETWORK" },
2421 { 0x0013, "NETWORK_BROWSER" },
2422 { 0x0014, "NETWORK_FILE_SYSTEM" },
2424 { 0x0016, "PARALLEL_PORT" },
2425 { 0x0017, "PHYSICAL_NETCARD" },
2426 { 0x0018, "PRINTER" },
2427 { 0x0019, "SCANNER" },
2428 { 0x001a, "SERIAL_MOUSE_PORT" },
2429 { 0x001b, "SERIAL_PORT" },
2430 { 0x001c, "SCREEN" },
2431 { 0x001d, "SOUND" },
2432 { 0x001e, "STREAMS" },
2434 { 0x0020, "TAPE_FILE_SYSTEM" },
2435 { 0x0021, "TRANSPORT" },
2436 { 0x0022, "UNKNOWN" },
2437 { 0x0023, "VIDEO" },
2438 { 0x0024, "VIRTUAL_DISK" },
2439 { 0x0025, "WAVE_IN" },
2440 { 0x0026, "WAVE_OUT" },
2441 { 0x0027, "8042_PORT" },
2442 { 0x0028, "NETWORK_REDIRECTOR" },
2443 { 0x0029, "BATTERY" },
2444 { 0x002a, "BUS_EXTENDER" },
2445 { 0x002b, "MODEM" },
2447 { 0x002d, "MASS_STORAGE" },
2450 { 0x0030, "CHANGER" },
2451 { 0x0031, "SMARTCARD" },
2454 { 0x0034, "FULLSCREEN_VIDEO" },
2455 { 0x0035, "DFS_FILE_SYSTEM" },
2456 { 0x0036, "DFS_VOLUME" },
2457 { 0x0037, "SERENUM" },
2458 { 0x0038, "TERMSRV" },
2462 static value_string_ext smb2_ioctl_device_vals_ext
= VALUE_STRING_EXT_INIT(smb2_ioctl_device_vals
);
2464 static const value_string smb2_ioctl_access_vals
[] = {
2465 { 0x00, "FILE_ANY_ACCESS" },
2466 { 0x01, "FILE_READ_ACCESS" },
2467 { 0x02, "FILE_WRITE_ACCESS" },
2468 { 0x03, "FILE_READ_WRITE_ACCESS" },
2472 static const value_string smb2_ioctl_method_vals
[] = {
2473 { 0x00, "METHOD_BUFFERED" },
2474 { 0x01, "METHOD_IN_DIRECT" },
2475 { 0x02, "METHOD_OUT_DIRECT" },
2476 { 0x03, "METHOD_NEITHER" },
2480 static const value_string smb2_ioctl_shared_virtual_disk_vals
[] = {
2481 { 0x01, "SharedVirtualDisksSupported" },
2482 { 0x07, "SharedVirtualDiskCDPSnapshotsSupported" },
2486 static const value_string smb2_ioctl_shared_virtual_disk_hstate_vals
[] = {
2487 { 0x00, "HandleStateNone" },
2488 { 0x01, "HandleStateFileShared" },
2489 { 0x03, "HandleStateShared" },
2493 /* this is called from both smb and smb2. */
2495 dissect_smb2_ioctl_function(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, int offset
, uint32_t *ioctlfunc
)
2497 proto_item
*item
= NULL
;
2498 proto_tree
*tree
= NULL
;
2499 uint32_t ioctl_function
;
2502 item
= proto_tree_add_item(parent_tree
, hf_smb2_ioctl_function
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
2503 tree
= proto_item_add_subtree(item
, ett_smb2_ioctl_function
);
2506 ioctl_function
= tvb_get_letohl(tvb
, offset
);
2508 *ioctlfunc
= ioctl_function
;
2509 if (ioctl_function
) {
2510 const char *unknown
= "unknown";
2511 const char *ioctl_name
= val_to_str_ext_const(ioctl_function
,
2512 &smb2_ioctl_vals_ext
,
2516 * val_to_str_const() doesn't work with a unknown == NULL
2518 if (ioctl_name
== unknown
) {
2522 if (ioctl_name
!= NULL
) {
2524 pinfo
->cinfo
, COL_INFO
, " %s", ioctl_name
);
2528 proto_tree_add_item(tree
, hf_smb2_ioctl_function_device
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
2529 if (ioctl_name
== NULL
) {
2531 pinfo
->cinfo
, COL_INFO
, " %s",
2532 val_to_str_ext((ioctl_function
>>16)&0xffff, &smb2_ioctl_device_vals_ext
,
2533 "Unknown (0x%08X)"));
2537 proto_tree_add_item(tree
, hf_smb2_ioctl_function_access
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
2540 proto_tree_add_item(tree
, hf_smb2_ioctl_function_function
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
2541 if (ioctl_name
== NULL
) {
2543 pinfo
->cinfo
, COL_INFO
, " Function:0x%04x",
2544 (ioctl_function
>>2)&0x0fff);
2548 proto_tree_add_item(tree
, hf_smb2_ioctl_function_method
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
2556 /* fake the dce/rpc support structures so we can piggy back on
2557 * dissect_nt_policy_hnd() since this will allow us
2558 * a cheap way to track where FIDs are opened, closed
2559 * and fid->filename mappings
2560 * if we want to do those things in the future.
2562 #define FID_MODE_OPEN 0
2563 #define FID_MODE_CLOSE 1
2564 #define FID_MODE_USE 2
2565 #define FID_MODE_DHNQ 3
2566 #define FID_MODE_DHNC 4
2568 dissect_smb2_fid(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
, int mode
)
2570 uint8_t drep
[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
2571 static dcerpc_info di
; /* fake dcerpc_info struct */
2572 static dcerpc_call_value call_data
;
2573 e_ctx_hnd policy_hnd
= {0, DCERPC_UUID_NULL
};
2574 e_ctx_hnd
*policy_hnd_hashtablekey
;
2575 proto_item
*hnd_item
= NULL
;
2577 uint32_t open_frame
= 0, close_frame
= 0;
2578 smb2_eo_file_info_t
*eo_file_info
;
2579 smb2_fid_info_t sfi_key
;
2580 smb2_fid_info_t
*sfi
= NULL
;
2584 memset(&sfi_key
, 0, sizeof(sfi_key
));
2585 sfi_key
.fid_persistent
= tvb_get_letoh64(tvb
, offset
);
2586 sfi_key
.fid_volatile
= tvb_get_letoh64(tvb
, offset
+8);
2587 sfi_key
.sesid
= si
->sesid
;
2588 sfi_key
.tid
= si
->tid
;
2589 sfi_key
.frame_key
= pinfo
->num
;
2590 sfi_key
.name
= NULL
;
2592 di
.conformant_run
= 0;
2593 /* we need di->call_data->flags.NDR64 == 0 */
2594 di
.call_data
= &call_data
;
2598 offset
= dissect_nt_guid_hnd(tvb
, offset
, pinfo
, tree
, &di
, drep
, hf_smb2_fid
, &policy_hnd
, &hnd_item
, PIDL_POLHND_OPEN
);
2599 if (!pinfo
->fd
->visited
) {
2600 sfi
= wmem_new(wmem_file_scope(), smb2_fid_info_t
);
2603 sfi
->frame_beg
= si
->saved
? si
->saved
->frame_req
: pinfo
->num
;
2604 sfi
->frame_end
= UINT32_MAX
;
2606 if (si
->saved
&& si
->saved
->extra_info_type
== SMB2_EI_FILENAME
) {
2607 sfi
->name
= wmem_strdup(wmem_file_scope(), (char *)si
->saved
->extra_info
);
2609 sfi
->name
= wmem_strdup_printf(wmem_file_scope(), "[unknown]");
2612 if (si
->saved
&& si
->saved
->extra_info_type
== SMB2_EI_FILENAME
) {
2613 fid_name
= wmem_strdup_printf(wmem_file_scope(), "File: %s", (char *)si
->saved
->extra_info
);
2615 fid_name
= wmem_strdup_printf(wmem_file_scope(), "File: ");
2617 dcerpc_store_polhnd_name(&policy_hnd
, pinfo
,
2620 wmem_map_insert(si
->session
->fids
, sfi
, sfi
);
2623 /* If needed, create the file entry and save the policy hnd */
2625 si
->saved
->file
= sfi
;
2626 si
->saved
->policy_hnd
= policy_hnd
;
2630 eo_file_info
= (smb2_eo_file_info_t
*)wmem_map_lookup(si
->session
->files
,&policy_hnd
);
2631 if (!eo_file_info
) {
2632 eo_file_info
= wmem_new(wmem_file_scope(), smb2_eo_file_info_t
);
2633 policy_hnd_hashtablekey
= wmem_new(wmem_file_scope(), e_ctx_hnd
);
2634 memcpy(policy_hnd_hashtablekey
, &policy_hnd
, sizeof(e_ctx_hnd
));
2635 eo_file_info
->end_of_file
=0;
2636 wmem_map_insert(si
->session
->files
,policy_hnd_hashtablekey
,eo_file_info
);
2638 si
->eo_file_info
=eo_file_info
;
2642 case FID_MODE_CLOSE
:
2643 if (!pinfo
->fd
->visited
) {
2644 smb2_fid_info_t
*fid
= (smb2_fid_info_t
*)wmem_map_lookup(si
->session
->fids
, &sfi_key
);
2646 /* set last frame */
2647 fid
->frame_end
= pinfo
->num
;
2650 offset
= dissect_nt_guid_hnd(tvb
, offset
, pinfo
, tree
, &di
, drep
, hf_smb2_fid
, &policy_hnd
, &hnd_item
, PIDL_POLHND_CLOSE
);
2655 offset
= dissect_nt_guid_hnd(tvb
, offset
, pinfo
, tree
, &di
, drep
, hf_smb2_fid
, &policy_hnd
, &hnd_item
, PIDL_POLHND_USE
);
2659 si
->file
= (smb2_fid_info_t
*)wmem_map_lookup(si
->session
->fids
, &sfi_key
);
2662 si
->saved
->file
= si
->file
;
2664 if (si
->file
->name
) {
2666 proto_item_append_text(hnd_item
, " File: %s", si
->file
->name
);
2668 col_append_fstr(pinfo
->cinfo
, COL_INFO
, " File: %s", si
->file
->name
);
2672 if (dcerpc_fetch_polhnd_data(&policy_hnd
, &fid_name
, NULL
, &open_frame
, &close_frame
, pinfo
->num
)) {
2673 /* look for the eo_file_info */
2674 if (!si
->eo_file_info
) {
2675 if (si
->saved
) { si
->saved
->policy_hnd
= policy_hnd
; }
2677 eo_file_info
= (smb2_eo_file_info_t
*)wmem_map_lookup(si
->session
->files
,&policy_hnd
);
2679 si
->eo_file_info
=eo_file_info
;
2680 } else { /* XXX This should never happen */
2681 eo_file_info
= wmem_new(wmem_file_scope(), smb2_eo_file_info_t
);
2682 policy_hnd_hashtablekey
= wmem_new(wmem_file_scope(), e_ctx_hnd
);
2683 memcpy(policy_hnd_hashtablekey
, &policy_hnd
, sizeof(e_ctx_hnd
));
2684 eo_file_info
->end_of_file
=0;
2685 wmem_map_insert(si
->session
->files
,policy_hnd_hashtablekey
,eo_file_info
);
2690 /* Calculate GUID (FID) hash
2691 * This provides hash that can be filtered on to provide the SMB2 requests and responses
2692 * associated with a given FID. Note that filtering instead on the FID only returns the CREATE
2693 * response, and SMB2 requests but not their responses.
2695 if(!pinfo
->fd
->visited
&& si
->saved
2696 && policy_hnd
.uuid
.data1
> 0
2697 && policy_hnd
.uuid
.data1
< 0xffffffff) {
2698 pol_uuid
= policy_hnd
.uuid
.data1
+ policy_hnd
.uuid
.data2
+ policy_hnd
.uuid
.data3
;
2699 for(int i
= 0; i
< 8; i
++) {
2700 buf
[i
] = (pol_uuid
>> (56 - i
* 8)) & 0xFF;
2702 si
->saved
->fid_hash
= crc32_ccitt(buf
, 8);
2708 #define SMB2_FSCC_FILE_ATTRIBUTE_READ_ONLY 0x00000001
2709 #define SMB2_FSCC_FILE_ATTRIBUTE_HIDDEN 0x00000002
2710 #define SMB2_FSCC_FILE_ATTRIBUTE_SYSTEM 0x00000004
2711 #define SMB2_FSCC_FILE_ATTRIBUTE_DIRECTORY 0x00000010
2712 #define SMB2_FSCC_FILE_ATTRIBUTE_ARCHIVE 0x00000020
2713 #define SMB2_FSCC_FILE_ATTRIBUTE_NORMAL 0x00000080
2714 #define SMB2_FSCC_FILE_ATTRIBUTE_TEMPORARY 0x00000100
2715 #define SMB2_FSCC_FILE_ATTRIBUTE_SPARSE_FILE 0x00000200
2716 #define SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT 0x00000400
2717 #define SMB2_FSCC_FILE_ATTRIBUTE_COMPRESSED 0x00000800
2718 #define SMB2_FSCC_FILE_ATTRIBUTE_OFFLINE 0x00001000
2719 #define SMB2_FSCC_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
2720 #define SMB2_FSCC_FILE_ATTRIBUTE_ENCRYPTED 0x00004000
2721 #define SMB2_FSCC_FILE_ATTRIBUTE_INTEGRITY_STREAM 0x00008000
2722 #define SMB2_FSCC_FILE_ATTRIBUTE_NO_SCRUB_DATA 0x00020000
2725 static const true_false_string tfs_fscc_file_attribute_reparse
= {
2726 "Has an associated REPARSE POINT",
2727 "Does NOT have an associated reparse point"
2729 static const true_false_string tfs_fscc_file_attribute_compressed
= {
2733 static const true_false_string tfs_fscc_file_attribute_offline
= {
2737 static const true_false_string tfs_fscc_file_attribute_not_content_indexed
= {
2738 "Is not indexed by the content indexing service",
2739 "Is indexed by the content indexing service"
2741 static const true_false_string tfs_fscc_file_attribute_integrity_stream
= {
2742 "Has Integrity Support",
2743 "Does NOT have Integrity Support"
2745 static const true_false_string tfs_fscc_file_attribute_no_scrub_data
= {
2746 "Is excluded from the data integrity scan",
2747 "Is not excluded from the data integrity scan"
2751 * File Attributes, section 2.6 in the [MS-FSCC] spec
2754 dissect_fscc_file_attr(tvbuff_t
* tvb
, proto_tree
* parent_tree
, int offset
, uint32_t* attr
)
2756 uint32_t mask
= tvb_get_letohl(tvb
, offset
);
2757 static int* const mask_fields
[] = {
2758 &hf_smb2_fscc_file_attr_read_only
,
2759 &hf_smb2_fscc_file_attr_hidden
,
2760 &hf_smb2_fscc_file_attr_system
,
2761 &hf_smb2_fscc_file_attr_directory
,
2762 &hf_smb2_fscc_file_attr_archive
,
2763 &hf_smb2_fscc_file_attr_normal
,
2764 &hf_smb2_fscc_file_attr_temporary
,
2765 &hf_smb2_fscc_file_attr_sparse_file
,
2766 &hf_smb2_fscc_file_attr_reparse_point
,
2767 &hf_smb2_fscc_file_attr_compressed
,
2768 &hf_smb2_fscc_file_attr_offline
,
2769 &hf_smb2_fscc_file_attr_not_content_indexed
,
2770 &hf_smb2_fscc_file_attr_encrypted
,
2771 &hf_smb2_fscc_file_attr_integrity_stream
,
2772 &hf_smb2_fscc_file_attr_no_scrub_data
,
2776 proto_tree_add_bitmask_value_with_flags(parent_tree
, tvb
, offset
, hf_smb2_fscc_file_attr
, ett_smb2_fscc_file_attributes
, mask_fields
, mask
, BMT_NO_APPEND
);
2786 /* this info level is unique to SMB2 and differst from the corresponding
2787 * SMB_FILE_ALL_INFO in SMB
2790 dissect_smb2_file_all_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
2792 proto_item
*item
= NULL
;
2793 proto_tree
*tree
= NULL
;
2795 static int * const mode_fields
[] = {
2796 &hf_smb2_mode_file_write_through
,
2797 &hf_smb2_mode_file_sequential_only
,
2798 &hf_smb2_mode_file_no_intermediate_buffering
,
2799 &hf_smb2_mode_file_synchronous_io_alert
,
2800 &hf_smb2_mode_file_synchronous_io_nonalert
,
2801 &hf_smb2_mode_file_delete_on_close
,
2806 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_all_info
, tvb
, offset
, -1, ENC_NA
);
2807 tree
= proto_item_add_subtree(item
, ett_smb2_file_all_info
);
2811 dissect_nttime(tvb
, tree
, offset
, hf_smb2_create_timestamp
, ENC_LITTLE_ENDIAN
);
2815 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_access_timestamp
, ENC_LITTLE_ENDIAN
);
2819 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_write_timestamp
, ENC_LITTLE_ENDIAN
);
2823 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_change_timestamp
, ENC_LITTLE_ENDIAN
);
2826 /* File Attributes */
2827 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, NULL
);
2829 /* some unknown bytes */
2830 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, 4, ENC_NA
);
2833 /* allocation size */
2834 proto_tree_add_item(tree
, hf_smb2_allocation_size
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
2838 proto_tree_add_item(tree
, hf_smb2_end_of_file
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
2841 /* number of links */
2842 proto_tree_add_item(tree
, hf_smb2_nlinks
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
2845 /* delete pending */
2846 proto_tree_add_item(tree
, hf_smb2_delete_pending
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
2850 proto_tree_add_item(tree
, hf_smb2_is_directory
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
2857 proto_tree_add_item(tree
, hf_smb2_file_id
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
2861 proto_tree_add_item(tree
, hf_smb2_ea_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
2865 offset
= dissect_smb_access_mask(tvb
, tree
, offset
);
2867 /* Position Information */
2868 proto_tree_add_item(tree
, hf_smb2_position_information
, tvb
, offset
, 8, ENC_NA
);
2871 /* Mode Information */
2872 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_mode_information
, ett_smb2_file_mode_info
, mode_fields
, ENC_LITTLE_ENDIAN
);
2875 /* Alignment Information */
2876 proto_tree_add_item(tree
, hf_smb2_alignment_information
, tvb
, offset
, 4, ENC_NA
);
2879 /* file name length */
2880 length
= tvb_get_letohs(tvb
, offset
);
2881 proto_tree_add_item(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
2886 proto_tree_add_item(tree
, hf_smb2_filename
,
2887 tvb
, offset
, length
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
);
2896 dissect_smb2_file_allocation_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
2898 proto_item
*item
= NULL
;
2899 proto_tree
*tree
= NULL
;
2904 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_allocation_info
, tvb
, offset
, -1, ENC_NA
);
2905 tree
= proto_item_add_subtree(item
, ett_smb2_file_allocation_info
);
2908 bc
= tvb_captured_length_remaining(tvb
, offset
);
2909 offset
= dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
2915 dissect_smb2_file_endoffile_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
2917 proto_item
*item
= NULL
;
2918 proto_tree
*tree
= NULL
;
2923 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_endoffile_info
, tvb
, offset
, -1, ENC_NA
);
2924 tree
= proto_item_add_subtree(item
, ett_smb2_file_endoffile_info
);
2927 bc
= tvb_captured_length_remaining(tvb
, offset
);
2928 offset
= dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
2934 dissect_smb2_file_alternate_name_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
2936 proto_item
*item
= NULL
;
2937 proto_tree
*tree
= NULL
;
2942 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_alternate_name_info
, tvb
, offset
, -1, ENC_NA
);
2943 tree
= proto_item_add_subtree(item
, ett_smb2_file_alternate_name_info
);
2946 bc
= tvb_captured_length_remaining(tvb
, offset
);
2947 offset
= dissect_qfi_SMB_FILE_NAME_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
, /* XXX assumption hack */ true);
2953 dissect_smb2_file_normalized_name_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
2955 proto_item
*item
= NULL
;
2956 proto_tree
*tree
= NULL
;
2961 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_normalized_name_info
, tvb
, offset
, -1, ENC_NA
);
2962 tree
= proto_item_add_subtree(item
, ett_smb2_file_normalized_name_info
);
2965 bc
= tvb_captured_length_remaining(tvb
, offset
);
2966 offset
= dissect_qfi_SMB_FILE_NAME_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
, /* XXX assumption hack */ true);
2972 dissect_smb2_file_basic_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
2974 proto_item
*item
= NULL
;
2975 proto_tree
*tree
= NULL
;
2978 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_basic_info
, tvb
, offset
, -1, ENC_NA
);
2979 tree
= proto_item_add_subtree(item
, ett_smb2_file_basic_info
);
2983 dissect_nttime(tvb
, tree
, offset
, hf_smb2_create_timestamp
, ENC_LITTLE_ENDIAN
);
2987 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_access_timestamp
, ENC_LITTLE_ENDIAN
);
2991 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_write_timestamp
, ENC_LITTLE_ENDIAN
);
2995 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_change_timestamp
, ENC_LITTLE_ENDIAN
);
2998 /* File Attributes */
2999 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, NULL
);
3001 /* some unknown bytes */
3002 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, 4, ENC_NA
);
3009 dissect_smb2_file_standard_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3011 proto_item
*item
= NULL
;
3012 proto_tree
*tree
= NULL
;
3017 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_standard_info
, tvb
, offset
, -1, ENC_NA
);
3018 tree
= proto_item_add_subtree(item
, ett_smb2_file_standard_info
);
3021 bc
= tvb_captured_length_remaining(tvb
, offset
);
3022 offset
= dissect_qfi_SMB_FILE_STANDARD_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
3027 dissect_smb2_file_internal_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3029 proto_item
*item
= NULL
;
3030 proto_tree
*tree
= NULL
;
3035 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_internal_info
, tvb
, offset
, -1, ENC_NA
);
3036 tree
= proto_item_add_subtree(item
, ett_smb2_file_internal_info
);
3039 bc
= tvb_captured_length_remaining(tvb
, offset
);
3040 offset
= dissect_qfi_SMB_FILE_INTERNAL_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
3045 dissect_smb2_file_mode_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3047 proto_item
*item
= NULL
;
3048 proto_tree
*tree
= NULL
;
3053 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_mode_info
, tvb
, offset
, -1, ENC_NA
);
3054 tree
= proto_item_add_subtree(item
, ett_smb2_file_mode_info
);
3057 bc
= tvb_captured_length_remaining(tvb
, offset
);
3058 offset
= dissect_qsfi_SMB_FILE_MODE_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
3063 dissect_smb2_file_alignment_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3065 proto_item
*item
= NULL
;
3066 proto_tree
*tree
= NULL
;
3071 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_alignment_info
, tvb
, offset
, -1, ENC_NA
);
3072 tree
= proto_item_add_subtree(item
, ett_smb2_file_alignment_info
);
3075 bc
= tvb_captured_length_remaining(tvb
, offset
);
3076 offset
= dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
3081 dissect_smb2_file_position_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3083 proto_item
*item
= NULL
;
3084 proto_tree
*tree
= NULL
;
3089 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_position_info
, tvb
, offset
, -1, ENC_NA
);
3090 tree
= proto_item_add_subtree(item
, ett_smb2_file_position_info
);
3093 bc
= tvb_captured_length_remaining(tvb
, offset
);
3094 offset
= dissect_qsfi_SMB_FILE_POSITION_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
3100 dissect_smb2_file_access_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3102 proto_item
*item
= NULL
;
3103 proto_tree
*tree
= NULL
;
3106 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_access_info
, tvb
, offset
, -1, ENC_NA
);
3107 tree
= proto_item_add_subtree(item
, ett_smb2_file_access_info
);
3111 offset
= dissect_smb_access_mask(tvb
, tree
, offset
);
3117 dissect_smb2_file_ea_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3119 proto_item
*item
= NULL
;
3120 proto_tree
*tree
= NULL
;
3125 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_ea_info
, tvb
, offset
, -1, ENC_NA
);
3126 tree
= proto_item_add_subtree(item
, ett_smb2_file_ea_info
);
3129 bc
= tvb_captured_length_remaining(tvb
, offset
);
3130 offset
= dissect_qfi_SMB_FILE_EA_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
3136 dissect_smb2_file_stream_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3138 proto_item
*item
= NULL
;
3139 proto_tree
*tree
= NULL
;
3144 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_stream_info
, tvb
, offset
, -1, ENC_NA
);
3145 tree
= proto_item_add_subtree(item
, ett_smb2_file_stream_info
);
3148 bc
= tvb_captured_length_remaining(tvb
, offset
);
3149 offset
= dissect_qfi_SMB_FILE_STREAM_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
, true);
3155 dissect_smb2_file_pipe_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3157 proto_item
*item
= NULL
;
3158 proto_tree
*tree
= NULL
;
3163 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_pipe_info
, tvb
, offset
, -1, ENC_NA
);
3164 tree
= proto_item_add_subtree(item
, ett_smb2_file_pipe_info
);
3167 bc
= tvb_captured_length_remaining(tvb
, offset
);
3168 offset
= dissect_sfi_SMB_FILE_PIPE_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
3174 dissect_smb2_file_compression_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3176 proto_item
*item
= NULL
;
3177 proto_tree
*tree
= NULL
;
3182 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_compression_info
, tvb
, offset
, -1, ENC_NA
);
3183 tree
= proto_item_add_subtree(item
, ett_smb2_file_compression_info
);
3186 bc
= tvb_captured_length_remaining(tvb
, offset
);
3187 offset
= dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
3193 dissect_smb2_file_network_open_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3195 proto_item
*item
= NULL
;
3196 proto_tree
*tree
= NULL
;
3201 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_network_open_info
, tvb
, offset
, -1, ENC_NA
);
3202 tree
= proto_item_add_subtree(item
, ett_smb2_file_network_open_info
);
3206 bc
= tvb_captured_length_remaining(tvb
, offset
);
3207 offset
= dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
3213 dissect_smb2_file_attribute_tag_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3215 proto_item
*item
= NULL
;
3216 proto_tree
*tree
= NULL
;
3221 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_attribute_tag_info
, tvb
, offset
, -1, ENC_NA
);
3222 tree
= proto_item_add_subtree(item
, ett_smb2_file_attribute_tag_info
);
3226 bc
= tvb_captured_length_remaining(tvb
, offset
);
3227 offset
= dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvb
, pinfo
, tree
, offset
, &bc
, &trunc
);
3232 static const true_false_string tfs_disposition_delete_on_close
= {
3233 "DELETE this file when closed",
3234 "Normal access, do not delete on close"
3238 dissect_smb2_file_disposition_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3240 proto_item
*item
= NULL
;
3241 proto_tree
*tree
= NULL
;
3244 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_disposition_info
, tvb
, offset
, -1, ENC_NA
);
3245 tree
= proto_item_add_subtree(item
, ett_smb2_file_disposition_info
);
3248 /* file disposition */
3249 proto_tree_add_item(tree
, hf_smb2_disposition_delete_on_close
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
3255 dissect_smb2_file_full_ea_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3257 proto_item
*item
= NULL
;
3258 proto_tree
*tree
= NULL
;
3259 uint32_t next_offset
;
3260 uint8_t ea_name_len
;
3261 uint16_t ea_data_len
;
3264 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_full_ea_info
, tvb
, offset
, -1, ENC_NA
);
3265 tree
= proto_item_add_subtree(item
, ett_smb2_file_full_ea_info
);
3271 int start_offset
= offset
;
3272 proto_item
*ea_item
;
3273 proto_tree
*ea_tree
;
3275 ea_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_ea
, &ea_item
, "EA:");
3278 next_offset
= tvb_get_letohl(tvb
, offset
);
3279 proto_tree_add_item(ea_tree
, hf_smb2_next_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
3283 proto_tree_add_item(ea_tree
, hf_smb2_ea_flags
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
3286 /* EA Name Length */
3287 ea_name_len
= tvb_get_uint8(tvb
, offset
);
3288 proto_tree_add_item(ea_tree
, hf_smb2_ea_name_len
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
3291 /* EA Data Length */
3292 ea_data_len
= tvb_get_letohs(tvb
, offset
);
3293 proto_tree_add_item(ea_tree
, hf_smb2_ea_data_len
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
3298 proto_tree_add_item_ret_display_string(ea_tree
, hf_smb2_ea_name
,
3299 tvb
, offset
, ea_name_len
, ENC_ASCII
|ENC_NA
,
3300 pinfo
->pool
, &name
);
3303 /* The name is terminated with a NULL */
3304 offset
+= ea_name_len
+ 1;
3308 proto_tree_add_item_ret_display_string(ea_tree
, hf_smb2_ea_data
,
3309 tvb
, offset
, ea_data_len
, ENC_NA
,
3310 pinfo
->pool
, &data
);
3312 offset
+= ea_data_len
;
3316 proto_item_append_text(ea_item
, " %s := %s",
3320 proto_item_set_len(ea_item
, offset
-start_offset
);
3327 offset
= start_offset
+next_offset
;
3333 static const true_false_string tfs_replace_if_exists
= {
3334 "Replace the target if it exists",
3335 "Fail if the target exists"
3339 dissect_smb2_file_rename_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3341 proto_item
*item
= NULL
;
3342 proto_tree
*tree
= NULL
;
3347 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_rename_info
, tvb
, offset
, -1, ENC_NA
);
3348 tree
= proto_item_add_subtree(item
, ett_smb2_file_rename_info
);
3351 /* ReplaceIfExists */
3352 proto_tree_add_item(tree
, hf_smb2_replace_if
, tvb
, offset
, 1, ENC_NA
);
3356 proto_tree_add_item(tree
, hf_smb2_reserved_random
, tvb
, offset
, 7, ENC_NA
);
3359 /* Root Directory Handle, MBZ */
3360 proto_tree_add_item(tree
, hf_smb2_root_directory_mbz
, tvb
, offset
, 8, ENC_NA
);
3363 /* file name length */
3364 length
= tvb_get_letohs(tvb
, offset
);
3365 proto_tree_add_item(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
3370 char *display_string
;
3372 proto_tree_add_item_ret_display_string(tree
, hf_smb2_filename
,
3373 tvb
, offset
, length
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
,
3374 pinfo
->pool
, &display_string
);
3375 col_append_fstr(pinfo
->cinfo
, COL_INFO
, " NewName:%s",
3384 dissect_smb2_file_link_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3386 proto_item
*item
= NULL
;
3387 proto_tree
*tree
= NULL
;
3389 char *display_string
= NULL
;
3393 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_link_info
, tvb
, offset
, -1, ENC_NA
);
3394 tree
= proto_item_add_subtree(item
, ett_smb2_file_link_info
);
3397 /* ReplaceIfExists */
3398 proto_tree_add_item(tree
, hf_smb2_replace_if
, tvb
, offset
, 1, ENC_NA
);
3402 proto_tree_add_item(tree
, hf_smb2_reserved_random
, tvb
, offset
, 7, ENC_NA
);
3405 /* Root Directory Handle, MBZ */
3406 proto_tree_add_item(tree
, hf_smb2_root_directory_mbz
, tvb
, offset
, 8, ENC_NA
);
3409 /* file name length */
3410 length
= tvb_get_letohs(tvb
, offset
);
3411 proto_tree_add_item(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
3419 proto_tree_add_item_ret_display_string(tree
, hf_smb2_filename
,
3420 tvb
, offset
, length
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
,
3421 pinfo
->pool
, &display_string
);
3422 col_append_fstr(pinfo
->cinfo
, COL_INFO
, " NewLink:%s",
3430 dissect_smb2_sec_info_00(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3432 proto_item
*item
= NULL
;
3433 proto_tree
*tree
= NULL
;
3436 item
= proto_tree_add_item(parent_tree
, hf_smb2_sec_info_00
, tvb
, offset
, -1, ENC_NA
);
3437 tree
= proto_item_add_subtree(item
, ett_smb2_sec_info_00
);
3440 /* security descriptor */
3441 offset
= dissect_nt_sec_desc(tvb
, offset
, pinfo
, tree
, NULL
, true, tvb_captured_length_remaining(tvb
, offset
), NULL
);
3447 dissect_smb2_quota_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3449 proto_item
*item
= NULL
;
3450 proto_tree
*tree
= NULL
;
3454 item
= proto_tree_add_item(parent_tree
, hf_smb2_quota_info
, tvb
, offset
, -1, ENC_NA
);
3455 tree
= proto_item_add_subtree(item
, ett_smb2_quota_info
);
3458 bcp
= tvb_captured_length_remaining(tvb
, offset
);
3459 offset
= dissect_nt_user_quota(tvb
, tree
, offset
, &bcp
);
3465 dissect_smb2_fs_info_05(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3467 proto_item
*item
= NULL
;
3468 proto_tree
*tree
= NULL
;
3472 item
= proto_tree_add_item(parent_tree
, hf_smb2_fs_info_05
, tvb
, offset
, -1, ENC_NA
);
3473 tree
= proto_item_add_subtree(item
, ett_smb2_fs_info_05
);
3476 bc
= tvb_captured_length_remaining(tvb
, offset
);
3477 offset
= dissect_qfsi_FS_ATTRIBUTE_INFO(tvb
, pinfo
, tree
, offset
, &bc
);
3483 dissect_smb2_fs_info_06(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3485 proto_item
*item
= NULL
;
3486 proto_tree
*tree
= NULL
;
3490 item
= proto_tree_add_item(parent_tree
, hf_smb2_fs_info_06
, tvb
, offset
, -1, ENC_NA
);
3491 tree
= proto_item_add_subtree(item
, ett_smb2_fs_info_06
);
3494 bc
= tvb_captured_length_remaining(tvb
, offset
);
3495 offset
= dissect_nt_quota(tvb
, tree
, offset
, &bc
);
3501 dissect_smb2_FS_OBJECTID_INFO(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3503 proto_item
*item
= NULL
;
3504 proto_tree
*tree
= NULL
;
3507 item
= proto_tree_add_item(parent_tree
, hf_smb2_fs_objectid_info
, tvb
, offset
, -1, ENC_NA
);
3508 tree
= proto_item_add_subtree(item
, ett_smb2_fs_objectid_info
);
3511 /* FILE_OBJECTID_BUFFER */
3512 offset
= dissect_smb2_FILE_OBJECTID_BUFFER(tvb
, pinfo
, tree
, offset
);
3518 dissect_smb2_fs_info_07(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3520 proto_item
*item
= NULL
;
3521 proto_tree
*tree
= NULL
;
3525 item
= proto_tree_add_item(parent_tree
, hf_smb2_fs_info_07
, tvb
, offset
, -1, ENC_NA
);
3526 tree
= proto_item_add_subtree(item
, ett_smb2_fs_info_07
);
3529 bc
= tvb_captured_length_remaining(tvb
, offset
);
3530 offset
= dissect_qfsi_FS_FULL_SIZE_INFO(tvb
, pinfo
, tree
, offset
, &bc
);
3536 dissect_smb2_fs_info_01(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3538 proto_item
*item
= NULL
;
3539 proto_tree
*tree
= NULL
;
3543 item
= proto_tree_add_item(parent_tree
, hf_smb2_fs_info_01
, tvb
, offset
, -1, ENC_NA
);
3544 tree
= proto_item_add_subtree(item
, ett_smb2_fs_info_01
);
3548 bc
= tvb_captured_length_remaining(tvb
, offset
);
3549 offset
= dissect_qfsi_FS_VOLUME_INFO(tvb
, pinfo
, tree
, offset
, &bc
, true);
3555 dissect_smb2_fs_info_03(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3557 proto_item
*item
= NULL
;
3558 proto_tree
*tree
= NULL
;
3562 item
= proto_tree_add_item(parent_tree
, hf_smb2_fs_info_03
, tvb
, offset
, -1, ENC_NA
);
3563 tree
= proto_item_add_subtree(item
, ett_smb2_fs_info_03
);
3567 bc
= tvb_captured_length_remaining(tvb
, offset
);
3568 offset
= dissect_qfsi_FS_SIZE_INFO(tvb
, pinfo
, tree
, offset
, &bc
);
3574 dissect_smb2_fs_info_04(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3576 proto_item
*item
= NULL
;
3577 proto_tree
*tree
= NULL
;
3581 item
= proto_tree_add_item(parent_tree
, hf_smb2_fs_info_04
, tvb
, offset
, -1, ENC_NA
);
3582 tree
= proto_item_add_subtree(item
, ett_smb2_fs_info_04
);
3586 bc
= tvb_captured_length_remaining(tvb
, offset
);
3587 offset
= dissect_qfsi_FS_DEVICE_INFO(tvb
, pinfo
, tree
, offset
, &bc
);
3593 dissect_smb2_fs_posix_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
3595 proto_item
*item
= NULL
;
3596 proto_tree
*tree
= NULL
;
3599 item
= proto_tree_add_item(parent_tree
, hf_smb2_fs_posix_info
, tvb
, offset
, -1, ENC_NA
);
3600 tree
= proto_item_add_subtree(item
, ett_smb2_fs_posix_info
);
3603 proto_tree_add_item(tree
, hf_smb2_fs_posix_optimal_transfer_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
3606 proto_tree_add_item(tree
, hf_smb2_fs_posix_block_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
3609 proto_tree_add_item(tree
, hf_smb2_fs_posix_total_blocks
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
3612 proto_tree_add_item(tree
, hf_smb2_fs_posix_blocks_available
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
3615 proto_tree_add_item(tree
, hf_smb2_fs_posix_user_blocks_available
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
3618 proto_tree_add_item(tree
, hf_smb2_fs_posix_total_file_nodes
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
3621 proto_tree_add_item(tree
, hf_smb2_fs_posix_free_file_nodes
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
3624 proto_tree_add_item(tree
, hf_smb2_fs_posix_fs_identifier
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
3630 static const value_string oplock_vals
[] = {
3631 { 0x00, "No oplock" },
3632 { 0x01, "Level2 oplock" },
3633 { 0x08, "Exclusive oplock" },
3634 { 0x09, "Batch oplock" },
3640 dissect_smb2_oplock(proto_tree
*parent_tree
, tvbuff_t
*tvb
, int offset
)
3642 proto_tree_add_item(parent_tree
, hf_smb2_oplock
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
3649 dissect_smb2_buffercode(proto_tree
*parent_tree
, tvbuff_t
*tvb
, int offset
, uint16_t *length
)
3653 uint16_t buffer_code
;
3655 /* dissect the first 2 bytes of the command PDU */
3656 buffer_code
= tvb_get_letohs(tvb
, offset
);
3657 item
= proto_tree_add_uint(parent_tree
, hf_smb2_buffer_code
, tvb
, offset
, 2, buffer_code
);
3658 tree
= proto_item_add_subtree(item
, ett_smb2_buffercode
);
3659 proto_tree_add_item(tree
, hf_smb2_buffer_code_len
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
3660 proto_tree_add_item(tree
, hf_smb2_buffer_code_flags_dyn
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
3664 *length
= buffer_code
; /*&0xfffe don't mask it here, mask it on caller side */
3670 #define NEGPROT_CAP_DFS 0x00000001
3671 #define NEGPROT_CAP_LEASING 0x00000002
3672 #define NEGPROT_CAP_LARGE_MTU 0x00000004
3673 #define NEGPROT_CAP_MULTI_CHANNEL 0x00000008
3674 #define NEGPROT_CAP_PERSISTENT_HANDLES 0x00000010
3675 #define NEGPROT_CAP_DIRECTORY_LEASING 0x00000020
3676 #define NEGPROT_CAP_ENCRYPTION 0x00000040
3677 #define NEGPROT_CAP_NOTIFICATIONS 0x00000080
3679 dissect_smb2_capabilities(proto_tree
*parent_tree
, tvbuff_t
*tvb
, int offset
)
3681 static int * const flags
[] = {
3683 &hf_smb2_cap_leasing
,
3684 &hf_smb2_cap_large_mtu
,
3685 &hf_smb2_cap_multi_channel
,
3686 &hf_smb2_cap_persistent_handles
,
3687 &hf_smb2_cap_directory_leasing
,
3688 &hf_smb2_cap_encryption
,
3689 &hf_smb2_cap_notifications
,
3693 proto_tree_add_bitmask(parent_tree
, tvb
, offset
, hf_smb2_capabilities
, ett_smb2_capabilities
, flags
, ENC_LITTLE_ENDIAN
);
3701 #define NEGPROT_SIGN_REQ 0x02
3702 #define NEGPROT_SIGN_ENABLED 0x01
3705 dissect_smb2_secmode(proto_tree
*parent_tree
, tvbuff_t
*tvb
, int offset
)
3707 static int * const flags
[] = {
3708 &hf_smb2_secmode_flags_sign_enabled
,
3709 &hf_smb2_secmode_flags_sign_required
,
3713 proto_tree_add_bitmask(parent_tree
, tvb
, offset
, hf_smb2_security_mode
, ett_smb2_sec_mode
, flags
, ENC_LITTLE_ENDIAN
);
3719 #define SES_REQ_FLAGS_SESSION_BINDING 0x01
3722 dissect_smb2_ses_req_flags(proto_tree
*parent_tree
, tvbuff_t
*tvb
, int offset
)
3724 static int * const flags
[] = {
3725 &hf_smb2_ses_req_flags_session_binding
,
3729 proto_tree_add_bitmask(parent_tree
, tvb
, offset
, hf_smb2_ses_req_flags
, ett_smb2_ses_req_flags
, flags
, ENC_LITTLE_ENDIAN
);
3735 #define SES_FLAGS_GUEST 0x0001
3736 #define SES_FLAGS_NULL 0x0002
3737 #define SES_FLAGS_ENCRYPT 0x0004
3740 dissect_smb2_ses_flags(proto_tree
*parent_tree
, tvbuff_t
*tvb
, int offset
)
3742 static int * const flags
[] = {
3743 &hf_smb2_ses_flags_guest
,
3744 &hf_smb2_ses_flags_null
,
3745 &hf_smb2_ses_flags_encrypt
,
3749 proto_tree_add_bitmask(parent_tree
, tvb
, offset
, hf_smb2_session_flags
, ett_smb2_ses_flags
, flags
, ENC_LITTLE_ENDIAN
);
3755 #define SHARE_FLAGS_manual_caching 0x00000000
3756 #define SHARE_FLAGS_auto_caching 0x00000010
3757 #define SHARE_FLAGS_vdo_caching 0x00000020
3758 #define SHARE_FLAGS_no_caching 0x00000030
3760 static const value_string share_cache_vals
[] = {
3761 { SHARE_FLAGS_manual_caching
, "Manual caching" },
3762 { SHARE_FLAGS_auto_caching
, "Auto caching" },
3763 { SHARE_FLAGS_vdo_caching
, "VDO caching" },
3764 { SHARE_FLAGS_no_caching
, "No caching" },
3768 #define SHARE_FLAGS_dfs 0x00000001
3769 #define SHARE_FLAGS_dfs_root 0x00000002
3770 #define SHARE_FLAGS_restrict_exclusive_opens 0x00000100
3771 #define SHARE_FLAGS_force_shared_delete 0x00000200
3772 #define SHARE_FLAGS_allow_namespace_caching 0x00000400
3773 #define SHARE_FLAGS_access_based_dir_enum 0x00000800
3774 #define SHARE_FLAGS_force_levelii_oplock 0x00001000
3775 #define SHARE_FLAGS_enable_hash_v1 0x00002000
3776 #define SHARE_FLAGS_enable_hash_v2 0x00004000
3777 #define SHARE_FLAGS_encryption_required 0x00008000
3778 #define SHARE_FLAGS_identity_remoting 0x00040000
3779 #define SHARE_FLAGS_compress_data 0x00100000
3780 #define SHARE_FLAGS_isolated_transport 0x00200000
3783 dissect_smb2_share_flags(proto_tree
*tree
, tvbuff_t
*tvb
, int offset
)
3785 static int * const sf_fields
[] = {
3786 &hf_smb2_share_flags_dfs
,
3787 &hf_smb2_share_flags_dfs_root
,
3788 &hf_smb2_share_flags_restrict_exclusive_opens
,
3789 &hf_smb2_share_flags_force_shared_delete
,
3790 &hf_smb2_share_flags_allow_namespace_caching
,
3791 &hf_smb2_share_flags_access_based_dir_enum
,
3792 &hf_smb2_share_flags_force_levelii_oplock
,
3793 &hf_smb2_share_flags_enable_hash_v1
,
3794 &hf_smb2_share_flags_enable_hash_v2
,
3795 &hf_smb2_share_flags_encrypt_data
,
3796 &hf_smb2_share_flags_identity_remoting
,
3797 &hf_smb2_share_flags_compress_data
,
3798 &hf_smb2_share_flags_isolated_transport
,
3804 item
= proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_share_flags
, ett_smb2_share_flags
, sf_fields
, ENC_LITTLE_ENDIAN
);
3806 cp
= tvb_get_letohl(tvb
, offset
);
3808 proto_tree_add_uint_format(item
, hf_smb2_share_caching
, tvb
, offset
, 4, cp
, "Caching policy: %s (%08x)", val_to_str(cp
, share_cache_vals
, "Unknown:%u"), cp
);
3816 #define SHARE_CAPS_DFS 0x00000008
3817 #define SHARE_CAPS_CONTINUOUS_AVAILABILITY 0x00000010
3818 #define SHARE_CAPS_SCALEOUT 0x00000020
3819 #define SHARE_CAPS_CLUSTER 0x00000040
3820 #define SHARE_CAPS_ASYMMETRIC 0x00000080
3821 #define SHARE_CAPS_REDIRECT_TO_OWNER 0x00000100
3824 dissect_smb2_share_caps(proto_tree
*tree
, tvbuff_t
*tvb
, int offset
)
3826 static int * const sc_fields
[] = {
3827 &hf_smb2_share_caps_dfs
,
3828 &hf_smb2_share_caps_continuous_availability
,
3829 &hf_smb2_share_caps_scaleout
,
3830 &hf_smb2_share_caps_cluster
,
3831 &hf_smb2_share_caps_asymmetric
,
3832 &hf_smb2_share_caps_redirect_to_owner
,
3836 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_share_caps
, ett_smb2_share_caps
, sc_fields
, ENC_LITTLE_ENDIAN
);
3844 dissect_smb2_secblob(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si _U_
)
3846 if ((tvb_captured_length(tvb
)>=7)
3847 && (!tvb_memeql(tvb
, 0, (const uint8_t*)"NTLMSSP", 7))) {
3848 call_dissector(ntlmssp_handle
, tvb
, pinfo
, tree
);
3850 call_dissector(gssapi_handle
, tvb
, pinfo
, tree
);
3855 * Derive client and server decryption keys from the secret session key
3856 * and set them in the session object.
3858 static void smb2_generate_decryption_keys(smb2_conv_info_t
*conv
, smb2_sesid_info_t
*ses
)
3860 bool has_seskey
= memcmp(ses
->session_key
, zeros
, NTLMSSP_KEY_LEN
) != 0;
3861 bool has_signkey
= memcmp(ses
->signing_key
, zeros
, NTLMSSP_KEY_LEN
) != 0;
3862 bool has_client_key
= memcmp(ses
->client_decryption_key16
, zeros
, AES_KEY_SIZE
) != 0;
3863 bool has_server_key
= memcmp(ses
->server_decryption_key16
, zeros
, AES_KEY_SIZE
) != 0;
3865 /* if all decryption keys are provided, nothing to do */
3866 if (has_client_key
&& has_server_key
&& has_signkey
)
3869 /* otherwise, generate them from session key, if it's there */
3870 if (!has_seskey
|| ses
->session_key_len
== 0)
3873 if (conv
->dialect
< SMB2_DIALECT_202
) {
3874 conv
->dialect
= SMB2_DIALECT_311
;
3875 conv
->enc_alg
= SMB2_CIPHER_AES_128_GCM
;
3878 /* generate decryption keys */
3879 if (conv
->dialect
<= SMB2_DIALECT_210
) {
3881 memcpy(ses
->signing_key
, ses
->session_key
,
3883 } else if (conv
->dialect
< SMB2_DIALECT_311
) {
3884 if (!has_server_key
)
3885 smb2_key_derivation(ses
->session_key
,
3889 ses
->server_decryption_key16
, 16);
3890 if (!has_client_key
)
3891 smb2_key_derivation(ses
->session_key
,
3895 ses
->client_decryption_key16
, 16);
3897 smb2_key_derivation(ses
->session_key
,
3901 ses
->signing_key
, 16);
3902 } else if (conv
->dialect
>= SMB2_DIALECT_311
) {
3903 if (!has_server_key
) {
3904 smb2_key_derivation(ses
->session_key
,
3906 "SMBC2SCipherKey", 16,
3907 ses
->preauth_hash
, SMB2_PREAUTH_HASH_SIZE
,
3908 ses
->server_decryption_key16
, 16);
3909 smb2_key_derivation(ses
->session_key
,
3910 ses
->session_key_len
,
3911 "SMBC2SCipherKey", 16,
3912 ses
->preauth_hash
, SMB2_PREAUTH_HASH_SIZE
,
3913 ses
->server_decryption_key32
, 32);
3915 if (!has_client_key
) {
3916 smb2_key_derivation(ses
->session_key
,
3918 "SMBS2CCipherKey", 16,
3919 ses
->preauth_hash
, SMB2_PREAUTH_HASH_SIZE
,
3920 ses
->client_decryption_key16
, 16);
3921 smb2_key_derivation(ses
->session_key
,
3922 ses
->session_key_len
,
3923 "SMBS2CCipherKey", 16,
3924 ses
->preauth_hash
, SMB2_PREAUTH_HASH_SIZE
,
3925 ses
->client_decryption_key32
, 32);
3928 smb2_key_derivation(ses
->session_key
,
3930 "SMBSigningKey", 14,
3931 ses
->preauth_hash
, SMB2_PREAUTH_HASH_SIZE
,
3932 ses
->signing_key
, 16);
3935 DEBUG("Generated Sign key");
3936 HEXDUMP(ses
->signing_key
, NTLMSSP_KEY_LEN
);
3937 DEBUG("Generated S2C key16");
3938 HEXDUMP(ses
->client_decryption_key16
, AES_KEY_SIZE
);
3939 DEBUG("Generated S2C key32");
3940 HEXDUMP(ses
->client_decryption_key32
, AES_KEY_SIZE
*2);
3941 DEBUG("Generated C2S key16");
3942 HEXDUMP(ses
->server_decryption_key16
, AES_KEY_SIZE
);
3943 DEBUG("Generated C2S key32");
3944 HEXDUMP(ses
->server_decryption_key32
, AES_KEY_SIZE
*2);
3948 dissect_smb2_session_setup_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
3950 offset_length_buffer_t s_olb
;
3951 const ntlmssp_header_t
*ntlmssph
;
3952 static int ntlmssp_tap_id
= 0;
3953 smb2_saved_info_t
*ssi
= si
->saved
;
3954 proto_item
*hash_item
;
3957 if (!ntlmssp_tap_id
) {
3958 GString
*error_string
;
3959 /* We don't specify any callbacks at all.
3960 * Instead we manually fetch the tapped data after the
3961 * security blob has been fully dissected and before
3962 * we exit from this dissector.
3964 error_string
= register_tap_listener("ntlmssp", NULL
, NULL
,
3965 TL_IS_DISSECTOR_HELPER
, NULL
, NULL
, NULL
, NULL
);
3966 if (!error_string
) {
3967 ntlmssp_tap_id
= find_tap_id("ntlmssp");
3969 g_string_free(error_string
, true);
3973 if (!pinfo
->fd
->visited
&& ssi
) {
3974 /* compute preauth hash on first pass */
3976 /* start from last preauth hash of the connection if 1st request */
3978 memcpy(si
->conv
->preauth_hash_ses
, si
->conv
->preauth_hash_con
, SMB2_PREAUTH_HASH_SIZE
);
3980 ssi
->preauth_hash_req
= (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE
);
3981 update_preauth_hash(si
->conv
->preauth_hash_current
, pinfo
, tvb
);
3982 memcpy(ssi
->preauth_hash_req
, si
->conv
->preauth_hash_current
, SMB2_PREAUTH_HASH_SIZE
);
3985 if (ssi
&& ssi
->preauth_hash_req
) {
3986 hash_item
= proto_tree_add_bytes_with_length(tree
, hf_smb2_preauth_hash
, tvb
,
3987 0, tvb_captured_length(tvb
),
3988 ssi
->preauth_hash_req
, SMB2_PREAUTH_HASH_SIZE
);
3989 proto_item_set_generated(hash_item
);
3993 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
3994 /* some unknown bytes */
3997 offset
= dissect_smb2_ses_req_flags(tree
, tvb
, offset
);
4000 offset
= dissect_smb2_secmode(tree
, tvb
, offset
);
4003 offset
= dissect_smb2_capabilities(tree
, tvb
, offset
);
4006 proto_tree_add_item(tree
, hf_smb2_channel
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4009 /* security blob offset/length */
4010 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &s_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_security_blob
);
4012 /* previous session id */
4013 proto_tree_add_item(tree
, hf_smb2_previous_sesid
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
4017 /* the security blob itself */
4018 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &s_olb
, si
, dissect_smb2_secblob
);
4020 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &s_olb
);
4022 /* If we have found a uid->acct_name mapping, store it */
4023 if (!pinfo
->fd
->visited
) {
4025 while ((ntlmssph
= (const ntlmssp_header_t
*)fetch_tapped_data(ntlmssp_tap_id
, idx
++)) != NULL
) {
4026 if (ntlmssph
&& ntlmssph
->type
== NTLMSSP_AUTH
) {
4027 si
->session
= smb2_get_session(si
->conv
, si
->sesid
, pinfo
, si
);
4028 si
->session
->acct_name
= wmem_strdup(wmem_file_scope(), ntlmssph
->acct_name
);
4029 si
->session
->domain_name
= wmem_strdup(wmem_file_scope(), ntlmssph
->domain_name
);
4030 si
->session
->host_name
= wmem_strdup(wmem_file_scope(), ntlmssph
->host_name
);
4031 /* don't overwrite session key from preferences */
4032 if (memcmp(si
->session
->session_key
, zeros
, NTLMSSP_KEY_LEN
) == 0) {
4033 memcpy(si
->session
->session_key
, ntlmssph
->session_key
, NTLMSSP_KEY_LEN
);
4034 si
->session
->session_key_len
= NTLMSSP_KEY_LEN
;
4035 si
->session
->session_key_frame
= pinfo
->num
;
4036 expert_add_info_format(pinfo
, tree
,
4037 &ei_smb2_ntlmssp_sessionkey
,
4038 "SMB2 NTLM sessionKey ("
4044 si
->session
->session_key
[0] & 0xFF, si
->session
->session_key
[1] & 0xFF,
4045 si
->session
->session_key
[2] & 0xFF, si
->session
->session_key
[3] & 0xFF,
4046 si
->session
->session_key
[4] & 0xFF, si
->session
->session_key
[5] & 0xFF,
4047 si
->session
->session_key
[6] & 0xFF, si
->session
->session_key
[7] & 0xFF,
4048 si
->session
->session_key
[8] & 0xFF, si
->session
->session_key
[9] & 0xFF,
4049 si
->session
->session_key
[10] & 0xFF, si
->session
->session_key
[11] & 0xFF,
4050 si
->session
->session_key
[12] & 0xFF, si
->session
->session_key
[13] & 0xFF,
4051 si
->session
->session_key
[14] & 0xFF, si
->session
->session_key
[15] & 0xFF);
4053 si
->session
->auth_frame
= pinfo
->num
;
4062 dissect_smb2_share_redirect_error(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
4066 proto_tree
*ips_tree
;
4067 proto_item
*ips_item
;
4069 offset_length_buffer_t res_olb
;
4070 uint32_t i
, ip_count
;
4072 item
= proto_tree_add_item(parent_tree
, hf_smb2_error_redir_context
, tvb
, offset
, 0, ENC_NA
);
4073 tree
= proto_item_add_subtree(item
, ett_smb2_error_redir_context
);
4075 /* structure size */
4076 proto_tree_add_item(tree
, hf_smb2_error_redir_struct_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4079 /* notification type */
4080 proto_tree_add_item(tree
, hf_smb2_error_redir_notif_type
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4083 /* resource name offset/length */
4084 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &res_olb
, OLB_O_UINT32_S_UINT32
, hf_smb2_error_redir_res_name
);
4087 proto_tree_add_item(tree
, hf_smb2_error_redir_flags
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
4091 proto_tree_add_item(tree
, hf_smb2_error_redir_target_type
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
4095 proto_tree_add_item_ret_uint(tree
, hf_smb2_error_redir_ip_count
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &ip_count
);
4099 ips_item
= proto_tree_add_item(tree
, hf_smb2_error_redir_ip_list
, tvb
, offset
, 0, ENC_NA
);
4100 ips_tree
= proto_item_add_subtree(ips_item
, ett_smb2_error_redir_ip_list
);
4101 for (i
= 0; i
< ip_count
; i
++)
4102 offset
+= dissect_windows_sockaddr_storage(tvb
, pinfo
, ips_tree
, offset
, -1);
4105 dissect_smb2_olb_off_string(pinfo
, tree
, tvb
, &res_olb
, offset
, OLB_TYPE_UNICODE_STRING
);
4109 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
4114 offset_length_buffer_t s_olb
, p_olb
;
4116 item
= proto_tree_add_item(parent_tree
, hf_smb2_symlink_error_response
, tvb
, offset
, -1, ENC_NA
);
4117 tree
= proto_item_add_subtree(item
, ett_smb2_symlink_error_response
);
4119 /* symlink length */
4120 proto_tree_add_item(tree
, hf_smb2_symlink_length
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4123 /* symlink error tag */
4124 proto_tree_add_item(tree
, hf_smb2_symlink_error_tag
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4128 proto_tree_add_item(tree
, hf_smb2_reparse_tag
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4131 proto_tree_add_item(tree
, hf_smb2_reparse_data_length
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
4134 proto_tree_add_item(tree
, hf_smb2_unparsed_path_length
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
4137 /* substitute name offset/length */
4138 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &s_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_symlink_substitute_name
);
4140 /* print name offset/length */
4141 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &p_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_symlink_print_name
);
4144 proto_tree_add_item(tree
, hf_smb2_symlink_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4147 /* substitute name string */
4148 dissect_smb2_olb_off_string(pinfo
, tree
, tvb
, &s_olb
, offset
, OLB_TYPE_UNICODE_STRING
);
4150 /* print name string */
4151 dissect_smb2_olb_off_string(pinfo
, tree
, tvb
, &p_olb
, offset
, OLB_TYPE_UNICODE_STRING
);
4155 // NOLINTNEXTLINE(misc-no-recursion)
4156 dissect_smb2_error_context(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
4164 item
= proto_tree_add_item(parent_tree
, hf_smb2_error_context
, tvb
, offset
, -1, ENC_NA
);
4165 tree
= proto_item_add_subtree(item
, ett_smb2_error_context
);
4167 proto_tree_add_item_ret_uint(tree
, hf_smb2_error_context_length
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &length
);
4170 proto_tree_add_item_ret_uint(tree
, hf_smb2_error_context_id
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &id
);
4173 sub_tvb
= tvb_new_subset_length(tvb
, offset
, length
);
4174 dissect_smb2_error_data(sub_tvb
, pinfo
, tree
, 0, id
, si
);
4181 * Assumes it is being called with a sub-tvb (dissects at offsets 0)
4184 // NOLINTNEXTLINE(misc-no-recursion)
4185 dissect_smb2_error_data(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
,
4186 int error_context_count
, int error_id
,
4187 smb2_info_t
*si _U_
)
4195 item
= proto_tree_add_item(parent_tree
, hf_smb2_error_data
, tvb
, offset
, -1, ENC_NA
);
4196 tree
= proto_item_add_subtree(item
, ett_smb2_error_data
);
4198 if (error_context_count
== 0) {
4199 if (tvb_captured_length_remaining(tvb
, offset
) <= 1)
4201 switch (si
->status
) {
4202 case NT_STATUS_STOPPED_ON_SYMLINK
:
4203 dissect_smb2_STATUS_STOPPED_ON_SYMLINK(tvb
, pinfo
, tree
, offset
, si
);
4205 case NT_STATUS_BUFFER_TOO_SMALL
:
4206 proto_tree_add_item(tree
, hf_smb2_error_min_buf_length
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4208 case NT_STATUS_BAD_NETWORK_NAME
:
4209 if (error_id
== SMB2_ERROR_ID_SHARE_REDIRECT
)
4210 dissect_smb2_share_redirect_error(tvb
, pinfo
, tree
, offset
, si
);
4215 increment_dissection_depth(pinfo
);
4216 for (i
= 0; i
< error_context_count
; i
++) {
4217 offset
+= dissect_smb2_error_context(tvb
, pinfo
, tree
, offset
, si
);
4219 decrement_dissection_depth(pinfo
);
4224 * SMB2 Error responses are a bit convoluted. Error data can be a list
4225 * of error contexts which themselves can hold an error data field.
4226 * See [MS-SMB2] 2.2.2.1.
4228 * ERROR_RESP := ERROR_DATA
4230 * ERROR_DATA := ( ERROR_CONTEXT + )
4231 * | ERROR_STATUS_STOPPED_ON_SYMLINK
4232 * | ERROR_ID_SHARE_REDIRECT
4233 * | ERROR_BUFFER_TOO_SMALL
4235 * ERROR_CONTEXT := ... + ERROR_DATA
4236 * | ERROR_ID_SHARE_REDIRECT
4238 * This needs more fixes for cases when the original header had also the constant value of 9.
4239 * This should be fixed on caller side where it decides if it has to call this or not.
4243 dissect_smb2_error_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si
,
4244 bool* continue_dissection
)
4247 uint8_t error_context_count
;
4252 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, &length
);
4254 /* FIX: error response uses this constant, if not then it is not an error response */
4257 if(continue_dissection
)
4258 *continue_dissection
= true;
4260 if(continue_dissection
)
4261 *continue_dissection
= false;
4263 /* ErrorContextCount (1 bytes) */
4264 error_context_count
= tvb_get_uint8(tvb
, offset
);
4265 proto_tree_add_item(tree
, hf_smb2_error_context_count
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
4268 /* Reserved (1 bytes) */
4269 proto_tree_add_item(tree
, hf_smb2_error_reserved
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
4272 /* ByteCount (4 bytes): The number of bytes of data contained in ErrorData[]. */
4273 byte_count
= tvb_get_letohl(tvb
, offset
);
4274 proto_tree_add_item(tree
, hf_smb2_error_byte_count
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4277 /* If the ByteCount field is zero then the server MUST supply an ErrorData field
4278 that is one byte in length */
4279 if (byte_count
== 0) byte_count
= 1;
4281 /* ErrorData (variable): A variable-length data field that contains extended
4282 error information.*/
4283 sub_tvb
= tvb_new_subset_length(tvb
, offset
, byte_count
);
4284 offset
+= byte_count
;
4286 dissect_smb2_error_data(sub_tvb
, pinfo
, tree
, error_context_count
, 0, si
);
4293 dissect_smb2_session_setup_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
4295 offset_length_buffer_t s_olb
;
4296 proto_item
*hash_item
;
4297 smb2_saved_info_t
*ssi
= si
->saved
;
4299 si
->session
= smb2_get_session(si
->conv
, si
->sesid
, pinfo
, si
);
4300 if (si
->status
== 0) {
4301 si
->session
->auth_frame
= pinfo
->num
;
4304 /* compute preauth hash on first pass */
4305 if (!pinfo
->fd
->visited
&& ssi
) {
4306 ssi
->preauth_hash_res
= (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE
);
4308 * Preauth hash can only be used if the session is
4309 * established i.e. last session setup response has a
4310 * success status. As per the specification, the last
4311 * response is NOT hashed.
4313 if (si
->status
!= 0) {
4315 * Not successful means either more req/rsp
4316 * processing is required or we reached an
4317 * error, so update hash.
4319 update_preauth_hash(si
->conv
->preauth_hash_current
, pinfo
, tvb
);
4322 * Session is established, remember the last preauth hash
4324 memcpy(si
->session
->preauth_hash
, si
->conv
->preauth_hash_current
, SMB2_PREAUTH_HASH_SIZE
);
4327 /* In all cases, stash the preauth hash */
4328 memcpy(ssi
->preauth_hash_res
, si
->conv
->preauth_hash_current
, SMB2_PREAUTH_HASH_SIZE
);
4331 if (ssi
&& ssi
->preauth_hash_res
) {
4332 hash_item
= proto_tree_add_bytes_with_length(tree
, hf_smb2_preauth_hash
, tvb
,
4333 0, tvb_captured_length(tvb
),
4334 ssi
->preauth_hash_res
, SMB2_PREAUTH_HASH_SIZE
);
4335 proto_item_set_generated(hash_item
);
4338 /* session_setup is special and we don't use dissect_smb2_error_response() here! */
4341 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
4344 offset
= dissect_smb2_ses_flags(tree
, tvb
, offset
);
4346 /* security blob offset/length */
4347 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &s_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_security_blob
);
4349 /* the security blob itself */
4350 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &s_olb
, si
, dissect_smb2_secblob
);
4352 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &s_olb
);
4354 /* If we have found a uid->acct_name mapping, store it */
4355 #ifdef HAVE_KERBEROS
4356 if (!pinfo
->fd
->visited
&&
4357 ((si
->session
->session_key_frame
== UINT32_MAX
) ||
4358 (si
->session
->session_key_frame
< pinfo
->num
)))
4363 read_keytab_file_from_preferences();
4366 for (ek
=enc_key_list
;ek
;ek
=ek
->next
) {
4367 if (!ek
->is_ap_rep_key
) {
4370 if (ek
->fd_num
== (int)pinfo
->num
) {
4377 * If we remembered information from the PAC content
4378 * from GSSAPI AP exchange we use it, otherwise we
4379 * can only give a hint about the used session key.
4381 if (ek
->pac_names
.account_name
) {
4382 si
->session
->acct_name
= wmem_strdup(wmem_file_scope(),
4383 ek
->pac_names
.account_name
);
4384 si
->session
->domain_name
= wmem_strdup(wmem_file_scope(),
4385 ek
->pac_names
.account_domain
);
4386 if (ek
->pac_names
.device_sid
) {
4387 si
->session
->host_name
= wmem_strdup_printf(wmem_file_scope(),
4389 ek
->pac_names
.device_sid
);
4391 si
->session
->host_name
= NULL
;
4394 si
->session
->acct_name
= wmem_strdup_printf(wmem_file_scope(),
4397 si
->session
->domain_name
= wmem_strdup_printf(wmem_file_scope(),
4400 si
->session
->host_name
= NULL
;
4402 /* don't overwrite session key from preferences */
4403 if (memcmp(si
->session
->session_key
, zeros
, NTLMSSP_KEY_LEN
) == 0) {
4404 si
->session
->session_key_len
= MIN(NTLMSSP_KEY_LEN
*2, ek
->keylength
);
4405 memcpy(si
->session
->session_key
,
4407 si
->session
->session_key_len
);
4408 si
->session
->session_key_frame
= pinfo
->num
;
4414 if (si
->status
== 0) {
4416 * Session is established, we can generate the keys
4418 expert_add_info_format(pinfo
, tree
,
4419 &ei_smb2_ntlmssp_sessionkey
,
4420 "SMB2 dialect[0x%x] decryption base sessionKey ("
4426 (unsigned)si
->conv
->dialect
,
4427 si
->session
->session_key
[0] & 0xFF, si
->session
->session_key
[1] & 0xFF,
4428 si
->session
->session_key
[2] & 0xFF, si
->session
->session_key
[3] & 0xFF,
4429 si
->session
->session_key
[4] & 0xFF, si
->session
->session_key
[5] & 0xFF,
4430 si
->session
->session_key
[6] & 0xFF, si
->session
->session_key
[7] & 0xFF,
4431 si
->session
->session_key
[8] & 0xFF, si
->session
->session_key
[9] & 0xFF,
4432 si
->session
->session_key
[10] & 0xFF, si
->session
->session_key
[11] & 0xFF,
4433 si
->session
->session_key
[12] & 0xFF, si
->session
->session_key
[13] & 0xFF,
4434 si
->session
->session_key
[14] & 0xFF, si
->session
->session_key
[15] & 0xFF);
4435 smb2_generate_decryption_keys(si
->conv
, si
->session
);
4442 dissect_smb2_tree_connect_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
4444 offset_length_buffer_t olb
;
4448 static int * const connect_flags
[] = {
4449 &hf_smb2_tc_cluster_reconnect
,
4450 &hf_smb2_tc_redirect_to_owner
,
4451 &hf_smb2_tc_extension_present
,
4452 &hf_smb2_tc_reserved
,
4457 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
4460 item
= proto_tree_get_parent(tree
);
4461 flags
= tvb_get_letohs(tvb
, offset
);
4462 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_tree_connect_flags
, ett_smb2_tree_connect_flags
, connect_flags
, ENC_LITTLE_ENDIAN
);
4465 proto_item_append_text(item
, "%s%s%s",
4466 (flags
& 0x0001)?", CLUSTER_RECONNECT":"",
4467 (flags
& 0x0002)?", REDIRECT_TO_OWNER":"",
4468 (flags
& 0x0004)?", EXTENSION_PRESENT":"");
4472 /* tree offset/length */
4473 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_tree
);
4476 buf
= dissect_smb2_olb_string(pinfo
, tree
, tvb
, &olb
, OLB_TYPE_UNICODE_STRING
);
4478 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &olb
);
4480 if (!pinfo
->fd
->visited
&& si
->saved
&& buf
&& olb
.len
) {
4481 si
->saved
->extra_info_type
= SMB2_EI_TREENAME
;
4482 si
->saved
->extra_info
= wmem_strdup(wmem_file_scope(), buf
);
4486 col_append_fstr(pinfo
->cinfo
, COL_INFO
, ", Tree: '%s'",
4487 format_text(pinfo
->pool
, buf
, strlen(buf
)));
4493 dissect_smb2_tree_connect_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
4496 bool continue_dissection
;
4498 switch (si
->status
) {
4500 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
4501 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
4502 if (!continue_dissection
) return offset
;
4506 share_type
= tvb_get_uint8(tvb
, offset
);
4507 proto_tree_add_item(tree
, hf_smb2_share_type
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
4510 /* byte is reserved and must be set to zero */
4511 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 1, ENC_NA
);
4514 if (!pinfo
->fd
->visited
&& si
->saved
&& si
->saved
->extra_info_type
== SMB2_EI_TREENAME
&& si
->session
) {
4515 smb2_tid_info_t
*tid
, tid_key
;
4517 tid_key
.tid
= si
->tid
;
4518 tid
= (smb2_tid_info_t
*)wmem_map_lookup(si
->session
->tids
, &tid_key
);
4520 wmem_map_remove(si
->session
->tids
, &tid_key
);
4522 tid
= wmem_new(wmem_file_scope(), smb2_tid_info_t
);
4524 tid
->name
= (char *)si
->saved
->extra_info
;
4525 tid
->connect_frame
= pinfo
->num
;
4526 tid
->disconnect_frame
= 0;
4527 tid
->share_type
= share_type
;
4529 wmem_map_insert(si
->session
->tids
, tid
, tid
);
4531 si
->saved
->extra_info_type
= SMB2_EI_NONE
;
4532 si
->saved
->extra_info
= NULL
;
4536 col_append_fstr(pinfo
->cinfo
, COL_INFO
, ", Tree: '%s'", si
->tree
->name
);
4539 offset
= dissect_smb2_share_flags(tree
, tvb
, offset
);
4541 /* share capabilities */
4542 offset
= dissect_smb2_share_caps(tree
, tvb
, offset
);
4544 /* this is some sort of access mask */
4545 offset
= dissect_smb_access_mask(tvb
, tree
, offset
);
4551 dissect_smb2_tree_disconnect_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
4554 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
4557 col_append_fstr(pinfo
->cinfo
, COL_INFO
, ", Tree: '%s'", si
->tree
->name
);
4560 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
4567 dissect_smb2_tree_disconnect_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
4569 bool continue_dissection
;
4571 switch (si
->status
) {
4574 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
4577 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
4578 if (!continue_dissection
) return offset
;
4582 si
->tree
->disconnect_frame
= pinfo
->fd
->num
;
4583 col_append_fstr(pinfo
->cinfo
, COL_INFO
, ", Tree: '%s'", si
->tree
->name
);
4587 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
4594 dissect_smb2_sessionlogoff_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
4597 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
4599 /* reserved bytes */
4606 dissect_smb2_sessionlogoff_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
4608 bool continue_dissection
;
4610 switch (si
->status
) {
4612 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
4613 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
4614 if (!continue_dissection
) return offset
;
4617 /* reserved bytes */
4618 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
4625 dissect_smb2_keepalive_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
4628 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
4630 /* some unknown bytes */
4631 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, 2, ENC_NA
);
4638 dissect_smb2_keepalive_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
4640 bool continue_dissection
;
4642 switch (si
->status
) {
4644 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
4645 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
4646 if (!continue_dissection
) return offset
;
4649 /* some unknown bytes */
4650 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, 2, ENC_NA
);
4657 dissect_smb2_notify_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
4659 proto_tree
*flags_tree
= NULL
;
4660 proto_item
*flags_item
= NULL
;
4664 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
4668 flags_item
= proto_tree_add_item(tree
, hf_smb2_notify_flags
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
4669 flags_tree
= proto_item_add_subtree(flags_item
, ett_smb2_notify_flags
);
4671 proto_tree_add_item(flags_tree
, hf_smb2_notify_watch_tree
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
4674 /* output buffer length */
4675 proto_tree_add_item(tree
, hf_smb2_output_buffer_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4679 if (si
->saved
&& si
->saved
->fid_hash
) {
4680 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
4681 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
4682 proto_item_set_generated(item
);
4686 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
4688 /* completion filter */
4689 offset
= dissect_nt_notify_completion_filter(tvb
, tree
, offset
);
4692 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
4698 static const value_string notify_action_vals
[] = {
4699 {0x01, "FILE_ACTION_ADDED"},
4700 {0x02, "FILE_ACTION_REMOVED"},
4701 {0x03, "FILE_ACTION_MODIFIED"},
4702 {0x04, "FILE_ACTION_RENAMED_OLD_NAME"},
4703 {0x05, "FILE_ACTION_RENAMED_NEW_NAME"},
4704 {0x06, "FILE_ACTION_ADDED_STREAM"},
4705 {0x07, "FILE_ACTION_REMOVED_STREAM"},
4706 {0x08, "FILE_ACTION_MODIFIED_STREAM"},
4707 {0x09, "FILE_ACTION_REMOVED_BY_DELETE"},
4712 dissect_smb2_notify_data_out(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, smb2_info_t
*si _U_
)
4714 proto_tree
*tree
= NULL
;
4715 proto_item
*item
= NULL
;
4718 while (tvb_reported_length_remaining(tvb
, offset
) > 4) {
4719 uint32_t start_offset
= offset
;
4720 uint32_t next_offset
;
4724 item
= proto_tree_add_item(parent_tree
, hf_smb2_notify_info
, tvb
, offset
, -1, ENC_NA
);
4725 tree
= proto_item_add_subtree(item
, ett_smb2_notify_info
);
4729 proto_tree_add_item_ret_uint(tree
, hf_smb2_notify_next_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &next_offset
);
4732 proto_tree_add_item(tree
, hf_smb2_notify_action
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4735 /* file name length */
4736 proto_tree_add_item_ret_uint(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &length
);
4741 proto_tree_add_item(tree
, hf_smb2_filename
,
4742 tvb
, offset
, length
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
);
4749 offset
= start_offset
+next_offset
;
4754 dissect_smb2_notify_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
4756 offset_length_buffer_t olb
;
4757 bool continue_dissection
;
4760 switch (si
->status
) {
4761 /* MS-SMB2 3.3.4.4 says STATUS_NOTIFY_ENUM_DIR is not treated as an error */
4762 case 0x0000010c: /* STATUS_NOTIFY_ENUM_DIR */
4763 case 0x00000000: /* buffer code */
4764 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
4765 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
4766 if (!continue_dissection
) return offset
;
4770 if (si
->saved
&& si
->saved
->fid_hash
) {
4771 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
4772 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
4773 proto_item_set_generated(item
);
4776 /* out buffer offset/length */
4777 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &olb
, OLB_O_UINT16_S_UINT32
, hf_smb2_notify_out_data
);
4780 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &olb
, si
, dissect_smb2_notify_data_out
);
4781 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &olb
);
4786 #define SMB2_FIND_FLAG_RESTART_SCANS 0x01
4787 #define SMB2_FIND_FLAG_SINGLE_ENTRY 0x02
4788 #define SMB2_FIND_FLAG_INDEX_SPECIFIED 0x04
4789 #define SMB2_FIND_FLAG_REOPEN 0x10
4792 dissect_smb2_find_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
4794 offset_length_buffer_t olb
;
4797 static int * const f_fields
[] = {
4798 &hf_smb2_find_flags_restart_scans
,
4799 &hf_smb2_find_flags_single_entry
,
4800 &hf_smb2_find_flags_index_specified
,
4801 &hf_smb2_find_flags_reopen
,
4808 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
4810 il
= tvb_get_uint8(tvb
, offset
);
4812 si
->saved
->infolevel
= il
;
4816 proto_tree_add_uint(tree
, hf_smb2_find_info_level
, tvb
, offset
, 1, il
);
4820 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_find_flags
, ett_smb2_find_flags
, f_fields
, ENC_LITTLE_ENDIAN
);
4824 proto_tree_add_item(tree
, hf_smb2_file_index
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4828 if (si
->saved
&& si
->saved
->fid_hash
) {
4829 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
4830 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
4831 proto_item_set_generated(item
);
4835 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
4837 /* search pattern offset/length */
4838 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_find_pattern
);
4840 /* output buffer length */
4841 proto_tree_add_item(tree
, hf_smb2_output_buffer_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4844 /* search pattern */
4845 buf
= dissect_smb2_olb_string(pinfo
, tree
, tvb
, &olb
, OLB_TYPE_UNICODE_STRING
);
4847 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &olb
);
4849 if (!pinfo
->fd
->visited
&& si
->saved
&& olb
.len
) {
4850 si
->saved
->extra_info_type
= SMB2_EI_FINDPATTERN
;
4851 si
->saved
->extra_info
= wmem_strdup(wmem_file_scope(), buf
);
4854 col_append_fstr(pinfo
->cinfo
, COL_INFO
, " %s Pattern: %s",
4855 val_to_str(il
, smb2_find_info_levels
, "(Level:0x%02x)"),
4861 static void dissect_smb2_file_directory_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, smb2_info_t
*si _U_
)
4864 proto_item
*item
= NULL
;
4865 proto_tree
*tree
= NULL
;
4867 while (tvb_reported_length_remaining(tvb
, offset
) > 4) {
4868 int old_offset
= offset
;
4873 item
= proto_tree_add_item(parent_tree
, hf_smb2_file_directory_info
, tvb
, offset
, -1, ENC_NA
);
4874 tree
= proto_item_add_subtree(item
, ett_smb2_file_directory_info
);
4878 next_offset
= tvb_get_letohl(tvb
, offset
);
4879 proto_tree_add_item(tree
, hf_smb2_next_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4883 proto_tree_add_item(tree
, hf_smb2_file_index
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4887 dissect_nttime(tvb
, tree
, offset
, hf_smb2_create_timestamp
, ENC_LITTLE_ENDIAN
);
4891 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_access_timestamp
, ENC_LITTLE_ENDIAN
);
4895 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_write_timestamp
, ENC_LITTLE_ENDIAN
);
4899 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_change_timestamp
, ENC_LITTLE_ENDIAN
);
4903 proto_tree_add_item(tree
, hf_smb2_end_of_file
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
4906 /* allocation size */
4907 proto_tree_add_item(tree
, hf_smb2_allocation_size
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
4910 /* File Attributes */
4911 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, NULL
);
4913 /* file name length */
4914 file_name_len
= tvb_get_letohl(tvb
, offset
);
4915 proto_tree_add_item(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4919 if (file_name_len
) {
4920 char *display_string
;
4922 proto_tree_add_item_ret_display_string(tree
, hf_smb2_filename
,
4923 tvb
, offset
, file_name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
,
4924 pinfo
->pool
, &display_string
);
4925 proto_item_append_text(item
, ": %s", display_string
);
4926 offset
+= file_name_len
;
4929 proto_item_set_len(item
, offset
-old_offset
);
4932 si
->saved
->num_matched
++;
4934 if (next_offset
== 0) {
4938 offset
= old_offset
+next_offset
;
4939 if (offset
< old_offset
) {
4940 proto_tree_add_expert_format(tree
, pinfo
, &ei_smb2_invalid_length
, tvb
, offset
, -1,
4941 "Invalid offset/length. Malformed packet");
4947 static void dissect_smb2_full_directory_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, smb2_info_t
*si _U_
)
4950 proto_item
*item
= NULL
;
4951 proto_tree
*tree
= NULL
;
4953 while (tvb_reported_length_remaining(tvb
, offset
) > 4) {
4954 int old_offset
= offset
;
4960 item
= proto_tree_add_item(parent_tree
, hf_smb2_full_directory_info
, tvb
, offset
, -1, ENC_NA
);
4961 tree
= proto_item_add_subtree(item
, ett_smb2_full_directory_info
);
4965 next_offset
= tvb_get_letohl(tvb
, offset
);
4966 proto_tree_add_item(tree
, hf_smb2_next_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4970 proto_tree_add_item(tree
, hf_smb2_file_index
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
4974 dissect_nttime(tvb
, tree
, offset
, hf_smb2_create_timestamp
, ENC_LITTLE_ENDIAN
);
4978 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_access_timestamp
, ENC_LITTLE_ENDIAN
);
4982 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_write_timestamp
, ENC_LITTLE_ENDIAN
);
4986 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_change_timestamp
, ENC_LITTLE_ENDIAN
);
4990 proto_tree_add_item(tree
, hf_smb2_end_of_file
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
4993 /* allocation size */
4994 proto_tree_add_item(tree
, hf_smb2_allocation_size
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
4997 /* File Attributes */
4998 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, &attr
);
5000 /* file name length */
5001 file_name_len
= tvb_get_letohl(tvb
, offset
);
5002 proto_tree_add_item(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5005 /* ea size or reparse tag */
5006 if (attr
& SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT
)
5007 proto_tree_add_item(tree
, hf_smb2_reparse_tag
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5009 proto_tree_add_item(tree
, hf_smb2_ea_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5013 if (file_name_len
) {
5014 char *display_string
;
5016 proto_tree_add_item_ret_display_string(tree
, hf_smb2_filename
,
5017 tvb
, offset
, file_name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
,
5018 pinfo
->pool
, &display_string
);
5019 proto_item_append_text(item
, ": %s", display_string
);
5020 offset
+= file_name_len
;
5023 proto_item_set_len(item
, offset
-old_offset
);
5026 si
->saved
->num_matched
++;
5028 if (next_offset
== 0) {
5032 offset
= old_offset
+next_offset
;
5033 if (offset
< old_offset
) {
5034 proto_tree_add_expert_format(tree
, pinfo
, &ei_smb2_invalid_length
, tvb
, offset
, -1,
5035 "Invalid offset/length. Malformed packet");
5041 static void dissect_smb2_both_directory_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, smb2_info_t
*si _U_
)
5044 proto_item
*item
= NULL
;
5045 proto_tree
*tree
= NULL
;
5047 while (tvb_reported_length_remaining(tvb
, offset
) > 4) {
5048 int old_offset
= offset
;
5055 item
= proto_tree_add_item(parent_tree
, hf_smb2_both_directory_info
, tvb
, offset
, -1, ENC_NA
);
5056 tree
= proto_item_add_subtree(item
, ett_smb2_both_directory_info
);
5060 next_offset
= tvb_get_letohl(tvb
, offset
);
5061 proto_tree_add_item(tree
, hf_smb2_next_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5065 proto_tree_add_item(tree
, hf_smb2_file_index
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5069 dissect_nttime(tvb
, tree
, offset
, hf_smb2_create_timestamp
, ENC_LITTLE_ENDIAN
);
5073 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_access_timestamp
, ENC_LITTLE_ENDIAN
);
5077 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_write_timestamp
, ENC_LITTLE_ENDIAN
);
5081 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_change_timestamp
, ENC_LITTLE_ENDIAN
);
5085 proto_tree_add_item(tree
, hf_smb2_end_of_file
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5088 /* allocation size */
5089 proto_tree_add_item(tree
, hf_smb2_allocation_size
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5092 /* File Attributes */
5093 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, &attr
);
5095 /* file name length */
5096 file_name_len
= tvb_get_letohl(tvb
, offset
);
5097 proto_tree_add_item(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5100 /* ea size or reparse tag */
5101 if (attr
& SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT
)
5102 proto_tree_add_item(tree
, hf_smb2_reparse_tag
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5104 proto_tree_add_item(tree
, hf_smb2_ea_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5107 /* short name length */
5108 short_name_len
= tvb_get_uint8(tvb
, offset
);
5109 proto_tree_add_item(tree
, hf_smb2_short_name_len
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
5113 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 1, ENC_NA
);
5117 if (short_name_len
) {
5118 proto_tree_add_item(tree
, hf_smb2_short_name
,
5119 tvb
, offset
, short_name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
);
5124 if (file_name_len
) {
5125 char *display_string
;
5127 proto_tree_add_item_ret_display_string(tree
, hf_smb2_filename
,
5128 tvb
, offset
, file_name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
,
5129 pinfo
->pool
, &display_string
);
5130 proto_item_append_text(item
, ": %s", display_string
);
5131 offset
+= file_name_len
;
5134 proto_item_set_len(item
, offset
-old_offset
);
5137 si
->saved
->num_matched
++;
5139 if (next_offset
== 0) {
5143 offset
= old_offset
+next_offset
;
5144 if (offset
< old_offset
) {
5145 proto_tree_add_expert_format(tree
, pinfo
, &ei_smb2_invalid_length
, tvb
, offset
, -1,
5146 "Invalid offset/length. Malformed packet");
5152 static void dissect_smb2_file_name_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, smb2_info_t
*si _U_
)
5155 proto_item
*item
= NULL
;
5156 proto_tree
*tree
= NULL
;
5158 while (tvb_reported_length_remaining(tvb
, offset
) > 4) {
5159 int old_offset
= offset
;
5164 item
= proto_tree_add_item(parent_tree
, hf_smb2_both_directory_info
, tvb
, offset
, -1, ENC_NA
);
5165 tree
= proto_item_add_subtree(item
, ett_smb2_both_directory_info
);
5169 next_offset
= tvb_get_letohl(tvb
, offset
);
5170 proto_tree_add_item(tree
, hf_smb2_next_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5174 proto_tree_add_item(tree
, hf_smb2_file_index
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5177 /* file name length */
5178 file_name_len
= tvb_get_letohl(tvb
, offset
);
5179 proto_tree_add_item(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5183 if (file_name_len
) {
5184 char *display_string
;
5186 proto_tree_add_item_ret_display_string(tree
, hf_smb2_filename
,
5187 tvb
, offset
, file_name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
,
5188 pinfo
->pool
, &display_string
);
5189 proto_item_append_text(item
, ": %s", display_string
);
5190 offset
+= file_name_len
;
5194 si
->saved
->num_matched
++;
5196 proto_item_set_len(item
, offset
-old_offset
);
5198 if (next_offset
== 0) {
5202 offset
= old_offset
+next_offset
;
5203 if (offset
< old_offset
) {
5204 proto_tree_add_expert_format(tree
, pinfo
, &ei_smb2_invalid_length
, tvb
, offset
, -1,
5205 "Invalid offset/length. Malformed packet");
5211 static void dissect_smb2_id_both_directory_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, smb2_info_t
*si _U_
)
5214 proto_item
*item
= NULL
;
5215 proto_tree
*tree
= NULL
;
5217 while (tvb_reported_length_remaining(tvb
, offset
) > 4) {
5218 int old_offset
= offset
;
5225 item
= proto_tree_add_item(parent_tree
, hf_smb2_id_both_directory_info
, tvb
, offset
, -1, ENC_NA
);
5226 tree
= proto_item_add_subtree(item
, ett_smb2_id_both_directory_info
);
5230 next_offset
= tvb_get_letohl(tvb
, offset
);
5231 proto_tree_add_item(tree
, hf_smb2_next_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5235 proto_tree_add_item(tree
, hf_smb2_file_index
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5239 dissect_nttime(tvb
, tree
, offset
, hf_smb2_create_timestamp
, ENC_LITTLE_ENDIAN
);
5243 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_access_timestamp
, ENC_LITTLE_ENDIAN
);
5247 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_write_timestamp
, ENC_LITTLE_ENDIAN
);
5251 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_change_timestamp
, ENC_LITTLE_ENDIAN
);
5255 proto_tree_add_item(tree
, hf_smb2_end_of_file
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5258 /* allocation size */
5259 proto_tree_add_item(tree
, hf_smb2_allocation_size
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5262 /* File Attributes */
5263 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, &attr
);
5265 /* file name length */
5266 file_name_len
= tvb_get_letohl(tvb
, offset
);
5267 proto_tree_add_item(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5270 /* ea size or reparse tag */
5271 if (attr
& SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT
)
5272 proto_tree_add_item(tree
, hf_smb2_reparse_tag
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5274 proto_tree_add_item(tree
, hf_smb2_ea_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5277 /* short name length */
5278 short_name_len
= tvb_get_uint8(tvb
, offset
);
5279 proto_tree_add_item(tree
, hf_smb2_short_name_len
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
5283 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 1, ENC_NA
);
5287 if (short_name_len
) {
5288 proto_tree_add_item(tree
, hf_smb2_short_name
,
5289 tvb
, offset
, short_name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
);
5294 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
5298 proto_tree_add_item(tree
, hf_smb2_file_id
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5302 if (file_name_len
) {
5303 char *display_string
;
5305 proto_tree_add_item_ret_display_string(tree
, hf_smb2_filename
,
5306 tvb
, offset
, file_name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
,
5307 pinfo
->pool
, &display_string
);
5308 proto_item_append_text(item
, ": %s", display_string
);
5309 offset
+= file_name_len
;
5312 proto_item_set_len(item
, offset
-old_offset
);
5315 si
->saved
->num_matched
++;
5317 if (next_offset
== 0) {
5321 offset
= old_offset
+next_offset
;
5322 if (offset
< old_offset
) {
5323 proto_tree_add_expert_format(tree
, pinfo
, &ei_smb2_invalid_length
, tvb
, offset
, -1,
5324 "Invalid offset/length. Malformed packet");
5331 static void dissect_smb2_id_full_directory_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, smb2_info_t
*si _U_
)
5334 proto_item
*item
= NULL
;
5335 proto_tree
*tree
= NULL
;
5337 while (tvb_reported_length_remaining(tvb
, offset
) > 4) {
5338 int old_offset
= offset
;
5344 item
= proto_tree_add_item(parent_tree
, hf_smb2_id_both_directory_info
, tvb
, offset
, -1, ENC_NA
);
5345 tree
= proto_item_add_subtree(item
, ett_smb2_id_both_directory_info
);
5349 next_offset
= tvb_get_letohl(tvb
, offset
);
5350 proto_tree_add_item(tree
, hf_smb2_next_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5354 proto_tree_add_item(tree
, hf_smb2_file_index
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5358 dissect_nttime(tvb
, tree
, offset
, hf_smb2_create_timestamp
, ENC_LITTLE_ENDIAN
);
5362 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_access_timestamp
, ENC_LITTLE_ENDIAN
);
5366 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_write_timestamp
, ENC_LITTLE_ENDIAN
);
5370 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_change_timestamp
, ENC_LITTLE_ENDIAN
);
5374 proto_tree_add_item(tree
, hf_smb2_end_of_file
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5377 /* allocation size */
5378 proto_tree_add_item(tree
, hf_smb2_allocation_size
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5381 /* File Attributes */
5382 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, &attr
);
5384 /* file name length */
5385 file_name_len
= tvb_get_letohl(tvb
, offset
);
5386 proto_tree_add_item(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5389 /* ea size or reparse tag */
5390 if (attr
& SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT
)
5391 proto_tree_add_item(tree
, hf_smb2_reparse_tag
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5393 proto_tree_add_item(tree
, hf_smb2_ea_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5397 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
5401 proto_tree_add_item(tree
, hf_smb2_file_id
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5405 if (file_name_len
) {
5406 char *display_string
;
5408 proto_tree_add_item_ret_display_string(tree
, hf_smb2_filename
,
5409 tvb
, offset
, file_name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
,
5410 pinfo
->pool
, &display_string
);
5411 proto_item_append_text(item
, ": %s", display_string
);
5412 offset
+= file_name_len
;
5415 proto_item_set_len(item
, offset
-old_offset
);
5418 si
->saved
->num_matched
++;
5420 if (next_offset
== 0) {
5424 offset
= old_offset
+next_offset
;
5425 if (offset
< old_offset
) {
5426 proto_tree_add_expert_format(tree
, pinfo
, &ei_smb2_invalid_length
, tvb
, offset
, -1,
5427 "Invalid offset/length. Malformed packet");
5433 static int dissect_smb2_posix_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
5436 dissect_nttime(tvb
, tree
, offset
, hf_smb2_create_timestamp
, ENC_LITTLE_ENDIAN
);
5440 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_access_timestamp
, ENC_LITTLE_ENDIAN
);
5444 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_write_timestamp
, ENC_LITTLE_ENDIAN
);
5448 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_change_timestamp
, ENC_LITTLE_ENDIAN
);
5452 proto_tree_add_item(tree
, hf_smb2_end_of_file
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5455 /* allocation size */
5456 proto_tree_add_item(tree
, hf_smb2_allocation_size
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5459 /* File Attributes */
5460 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, NULL
);
5463 proto_tree_add_item(tree
, hf_smb2_inode
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
5467 proto_tree_add_item(tree
, hf_smb2_dev
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5471 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
5475 proto_tree_add_item(tree
, hf_smb2_nlinks
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5479 proto_tree_add_item(tree
, hf_smb2_reparse_tag
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5482 /* POSIX mode bits */
5483 proto_tree_add_item(tree
, hf_smb2_posix_perms
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5486 /* Owner and Group SID */
5487 offset
= dissect_nt_sid(tvb
, offset
, tree
, "Owner SID", NULL
, -1);
5488 offset
= dissect_nt_sid(tvb
, offset
, tree
, "Group SID", NULL
, -1);
5491 si
->saved
->num_matched
++;
5496 static void dissect_smb2_posix_directory_info(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, smb2_info_t
*si _U_
)
5499 proto_item
*item
= NULL
;
5500 proto_tree
*tree
= NULL
;
5502 while (tvb_reported_length_remaining(tvb
, offset
) > 4) {
5503 int old_offset
= offset
;
5508 item
= proto_tree_add_item(parent_tree
, hf_smb2_posix_info
, tvb
, offset
, -1, ENC_NA
);
5509 tree
= proto_item_add_subtree(item
, ett_smb2_posix_info
);
5513 next_offset
= tvb_get_letohl(tvb
, offset
);
5514 proto_tree_add_item(tree
, hf_smb2_next_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5518 offset
= dissect_smb2_posix_info(tvb
, pinfo
, tree
, offset
, si
);
5520 /* file name length */
5521 proto_tree_add_item_ret_uint(tree
, hf_smb2_filename_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &file_name_len
);
5525 if (file_name_len
) {
5526 proto_tree_add_item(tree
, hf_smb2_filename
, tvb
, offset
, file_name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
);
5527 offset
+= file_name_len
;
5530 proto_item_set_len(item
, offset
-old_offset
);
5532 if (next_offset
== 0) {
5536 offset
= old_offset
+next_offset
;
5537 if (offset
< old_offset
) {
5538 proto_tree_add_expert_format(tree
, pinfo
, &ei_smb2_invalid_length
, tvb
, offset
, -1,
5539 "Invalid offset/length. Malformed packet");
5546 typedef struct _smb2_find_dissector_t
{
5548 void (*dissector
)(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
);
5549 } smb2_find_dissector_t
;
5551 static smb2_find_dissector_t smb2_find_dissectors
[] = {
5552 {SMB2_FIND_DIRECTORY_INFO
, dissect_smb2_file_directory_info
},
5553 {SMB2_FIND_FULL_DIRECTORY_INFO
, dissect_smb2_full_directory_info
},
5554 {SMB2_FIND_BOTH_DIRECTORY_INFO
, dissect_smb2_both_directory_info
},
5555 {SMB2_FIND_NAME_INFO
, dissect_smb2_file_name_info
},
5556 {SMB2_FIND_ID_BOTH_DIRECTORY_INFO
,dissect_smb2_id_both_directory_info
},
5557 {SMB2_FIND_ID_FULL_DIRECTORY_INFO
,dissect_smb2_id_full_directory_info
},
5558 {SMB2_FIND_POSIX_INFO
, dissect_smb2_posix_directory_info
},
5563 dissect_smb2_find_data(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
)
5565 smb2_find_dissector_t
*dis
= smb2_find_dissectors
;
5568 si
->saved
->num_matched
= 0;
5570 while (dis
->dissector
) {
5572 if (dis
->level
== si
->saved
->infolevel
) {
5573 dis
->dissector(tvb
, pinfo
, tree
, si
);
5581 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, 0, tvb_captured_length(tvb
), ENC_NA
);
5585 dissect_smb2_find_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
5587 offset_length_buffer_t olb
;
5588 proto_item
*item
= NULL
;
5589 bool continue_dissection
;
5592 if (si
->saved
&& si
->saved
->fid_hash
) {
5593 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
5594 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
5595 proto_item_set_generated(item
);
5600 item
= proto_tree_add_uint(tree
, hf_smb2_find_info_level
, tvb
, offset
, 0, si
->saved
->infolevel
);
5601 proto_item_set_generated(item
);
5604 if (si
->saved
&& si
->saved
->extra_info_type
== SMB2_EI_FINDPATTERN
) {
5605 col_append_fstr(pinfo
->cinfo
, COL_INFO
, ", %s Pattern: %s",
5606 val_to_str(si
->saved
->infolevel
, smb2_find_info_levels
, "(Level:0x%02x)"),
5607 (const char *)si
->saved
->extra_info
);
5610 switch (si
->status
) {
5612 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
5613 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
5614 if (!continue_dissection
) return offset
;
5617 /* findinfo offset */
5618 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &olb
, OLB_O_UINT16_S_UINT32
, hf_smb2_find_info_blob
);
5621 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &olb
, si
, dissect_smb2_find_data
);
5623 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &olb
);
5626 item
= proto_tree_add_uint_format(tree
, hf_smb2_num_matched
, tvb
, 0, 0,
5627 si
->saved
->num_matched
, "Matched: %u names", si
->saved
->num_matched
);
5628 proto_item_set_generated(item
);
5631 pinfo
->cinfo
, COL_INFO
, ", %u matches", si
->saved
->num_matched
);
5638 dissect_smb2_negotiate_context(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
5641 const char *type_str
;
5642 uint32_t i
, data_length
, salt_length
, hash_count
, cipher_count
, comp_count
, transform_count
;
5643 uint32_t signing_count
;
5644 proto_item
*sub_item
;
5645 proto_tree
*sub_tree
;
5646 static int * const comp_alg_flags_fields
[] = {
5647 &hf_smb2_comp_alg_flags_chained
,
5648 &hf_smb2_comp_alg_flags_reserved
,
5652 sub_tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, -1, ett_smb2_negotiate_context_element
, &sub_item
, "Negotiate Context");
5655 type
= tvb_get_letohl(tvb
, offset
);
5656 type_str
= val_to_str(type
, smb2_negotiate_context_types
, "Unknown Type: (0x%0x)");
5657 proto_item_append_text(sub_item
, ": %s ", type_str
);
5658 proto_tree_add_item(sub_tree
, hf_smb2_negotiate_context_type
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
5662 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_negotiate_context_data_length
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &data_length
);
5663 proto_item_set_len(sub_item
, data_length
+ 8);
5667 proto_tree_add_item(sub_tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
5672 case SMB2_PREAUTH_INTEGRITY_CAPABILITIES
:
5673 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_hash_alg_count
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &hash_count
);
5675 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_salt_length
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &salt_length
);
5678 for (i
= 0; i
< hash_count
; i
++)
5680 proto_tree_add_item(sub_tree
, hf_smb2_hash_algorithm
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
5686 proto_tree_add_item(sub_tree
, hf_smb2_salt
, tvb
, offset
, salt_length
, ENC_NA
);
5687 offset
+= salt_length
;
5691 case SMB2_ENCRYPTION_CAPABILITIES
:
5692 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_cipher_count
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &cipher_count
);
5695 for (i
= 0; i
< cipher_count
; i
++)
5697 /* in SMB3.1.1 the first cipher returned by the server session encryption algorithm */
5698 if (i
== 0 && si
&& si
->conv
&& (si
->flags
& SMB2_FLAGS_RESPONSE
)) {
5699 uint16_t first_cipher
= tvb_get_letohs(tvb
, offset
);
5700 si
->conv
->enc_alg
= first_cipher
;
5702 proto_tree_add_item(sub_tree
, hf_smb2_cipher_id
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
5707 case SMB2_COMPRESSION_CAPABILITIES
:
5708 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_comp_alg_count
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &comp_count
);
5715 proto_tree_add_bitmask(sub_tree
, tvb
, offset
, hf_smb2_comp_alg_flags
, ett_smb2_comp_alg_flags
, comp_alg_flags_fields
, ENC_LITTLE_ENDIAN
);
5718 for (i
= 0; i
< comp_count
; i
++) {
5719 proto_tree_add_item(sub_tree
, hf_smb2_comp_alg_id
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
5724 case SMB2_NETNAME_NEGOTIATE_CONTEXT_ID
:
5725 proto_tree_add_item(sub_tree
, hf_smb2_netname_neg_id
, tvb
, offset
,
5726 data_length
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
);
5727 offset
+= data_length
;
5730 case SMB2_TRANSPORT_CAPABILITIES
:
5731 proto_tree_add_item(sub_tree
, hf_smb2_transport_ctx_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5735 case SMB2_RDMA_TRANSFORM_CAPABILITIES
:
5736 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_rdma_transform_count
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &transform_count
);
5739 proto_tree_add_item(sub_tree
, hf_smb2_rdma_transform_reserved1
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
5741 proto_tree_add_item(sub_tree
, hf_smb2_rdma_transform_reserved2
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5744 for (i
= 0; i
< transform_count
; i
++) {
5745 proto_tree_add_item(sub_tree
, hf_smb2_rdma_transform_id
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
5750 case SMB2_SIGNING_CAPABILITIES
:
5751 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_signing_alg_count
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &signing_count
);
5754 for (i
= 0; i
< signing_count
; i
++) {
5755 /* in SMB3.1.1 the first cipher returned by the server session encryption algorithm */
5756 if (i
== 0 && si
&& si
->conv
&& (si
->flags
& SMB2_FLAGS_RESPONSE
)) {
5757 uint16_t first_sign_alg
= tvb_get_letohs(tvb
, offset
);
5758 si
->conv
->sign_alg
= first_sign_alg
;
5760 proto_tree_add_item(sub_tree
, hf_smb2_signing_alg_id
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
5765 case SMB2_POSIX_EXTENSIONS_CAPABILITIES
:
5766 proto_tree_add_item(sub_tree
, hf_smb2_posix_reserved
, tvb
, offset
, data_length
, ENC_NA
);
5767 offset
+= data_length
;
5771 proto_tree_add_item(sub_tree
, hf_smb2_unknown
, tvb
, offset
, data_length
, ENC_NA
);
5772 offset
+= data_length
;
5780 dissect_smb2_negotiate_protocol_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
5784 proto_item
*nco_item
, *ncc_item
;
5785 bool supports_smb_3_10
= false;
5788 proto_item
*hash_item
= NULL
;
5789 smb2_saved_info_t
*ssi
= si
->saved
;
5791 /* compute preauth hash on first pass */
5792 if (!pinfo
->fd
->visited
&& ssi
) {
5793 ssi
->preauth_hash_req
= (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE
);
5794 memset(si
->conv
->preauth_hash_ses
, 0, SMB2_PREAUTH_HASH_SIZE
);
5795 memset(si
->conv
->preauth_hash_con
, 0, SMB2_PREAUTH_HASH_SIZE
);
5796 si
->conv
->preauth_hash_current
= si
->conv
->preauth_hash_con
;
5797 update_preauth_hash(si
->conv
->preauth_hash_current
, pinfo
, tvb
);
5798 memcpy(ssi
->preauth_hash_req
, si
->conv
->preauth_hash_current
, SMB2_PREAUTH_HASH_SIZE
);
5801 if (ssi
&& ssi
->preauth_hash_req
) {
5802 hash_item
= proto_tree_add_bytes_with_length(tree
,
5803 hf_smb2_preauth_hash
, tvb
,
5804 0, tvb_captured_length(tvb
),
5805 ssi
->preauth_hash_req
, SMB2_PREAUTH_HASH_SIZE
);
5806 proto_item_set_generated(hash_item
);
5810 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
5813 dc
= tvb_get_letohs(tvb
, offset
);
5814 proto_tree_add_item(tree
, hf_smb2_dialect_count
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
5817 /* security mode, skip second byte */
5818 offset
= dissect_smb2_secmode(tree
, tvb
, offset
);
5823 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
5827 offset
= dissect_smb2_capabilities(tree
, tvb
, offset
);
5830 proto_tree_add_item(tree
, hf_smb2_client_guid
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
5833 /* negotiate context offset */
5834 nco_item
= proto_tree_add_item_ret_uint(tree
, hf_smb2_negotiate_context_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &nco
);
5837 /* negotiate context count */
5838 ncc_item
= proto_tree_add_item_ret_uint(tree
, hf_smb2_negotiate_context_count
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &ncc
);
5842 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
5845 for (i
= 0 ; i
< dc
; i
++) {
5846 uint16_t d
= tvb_get_letohs(tvb
, offset
);
5847 proto_tree_add_item(tree
, hf_smb2_dialect
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
5850 if (d
>= SMB2_DIALECT_310
) {
5851 supports_smb_3_10
= true;
5855 if (!supports_smb_3_10
) {
5857 * XXX - if 3.10 or later isn't supported, those fields
5858 * should be dissected as an 8-byte ClientStartTime field...
5859 * ...which should always be set to zero by the
5860 * client and ignored by the server. Doing that would
5861 * require that we look ahead and scan the dialect list
5862 * but what if that's either cut off by a snapshot
5863 * length or missing due to the packet being malformed
5864 * or not reassembled or...?
5866 * [MS-SMB2] says 3.11, but 3.10 is deprecated, and
5867 * it appears to work the same way in this regard
5871 expert_add_info(pinfo
, ncc_item
, &ei_smb2_bad_negprot_negotiate_context_count
);
5875 expert_add_info(pinfo
, nco_item
, &ei_smb2_bad_negprot_negotiate_context_offset
);
5881 uint32_t tmp
= 0x40 + 36 + dc
* 2;
5884 offset
+= nco
- tmp
;
5890 for (i
= 0; i
< ncc
; i
++) {
5891 offset
= WS_ROUNDUP_8(offset
);
5892 offset
= dissect_smb2_negotiate_context(tvb
, pinfo
, tree
, offset
, si
);
5899 dissect_smb2_negotiate_protocol_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
5901 offset_length_buffer_t s_olb
;
5905 bool continue_dissection
;
5906 proto_item
*hash_item
= NULL
;
5907 smb2_saved_info_t
*ssi
= si
->saved
;
5909 /* compute preauth hash on first pass */
5910 if (!pinfo
->fd
->visited
&& ssi
) {
5911 ssi
->preauth_hash_res
= (uint8_t*)wmem_alloc0(wmem_file_scope(), SMB2_PREAUTH_HASH_SIZE
);
5912 update_preauth_hash(si
->conv
->preauth_hash_current
, pinfo
, tvb
);
5913 memcpy(ssi
->preauth_hash_res
, si
->conv
->preauth_hash_current
, SMB2_PREAUTH_HASH_SIZE
);
5916 * All new sessions on this conversation must reuse
5917 * the preauth hash value at the time of the negprot
5918 * response, so we stash it and switch buffers
5920 memcpy(si
->conv
->preauth_hash_ses
, si
->conv
->preauth_hash_current
, SMB2_PREAUTH_HASH_SIZE
);
5921 si
->conv
->preauth_hash_current
= si
->conv
->preauth_hash_ses
;
5924 if (ssi
&& ssi
->preauth_hash_res
) {
5925 hash_item
= proto_tree_add_bytes_with_length(tree
,
5926 hf_smb2_preauth_hash
, tvb
,
5927 0, tvb_captured_length(tvb
),
5928 ssi
->preauth_hash_res
, SMB2_PREAUTH_HASH_SIZE
);
5929 proto_item_set_generated(hash_item
);
5932 switch (si
->status
) {
5935 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
5939 offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
5940 if (!continue_dissection
)
5944 /* security mode, skip second byte */
5945 offset
= dissect_smb2_secmode(tree
, tvb
, offset
);
5948 /* dialect picked */
5949 si
->conv
->dialect
= tvb_get_letohs(tvb
, offset
);
5950 proto_tree_add_item(tree
, hf_smb2_dialect
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
5953 /* negotiate context count/reserved */
5955 * If 3.10 or later isn't the chosen dialect, this field
5956 * should be dissected as a reserved field
5957 * ...which should always be set to zero by the
5958 * client and ignored by the server.
5960 * [MS-SMB2] says 3.11, but 3.10 is deprecated, and
5961 * it appears to work the same way in this regard
5964 if (si
->conv
->dialect
>= SMB2_DIALECT_310
) {
5965 proto_tree_add_item_ret_uint(tree
, hf_smb2_negotiate_context_count
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &ncc
);
5967 proto_item
*reserved_item
;
5969 reserved_item
= proto_tree_add_item_ret_uint(tree
, hf_smb2_negotiate_context_reserved
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &ncc
);
5971 expert_add_info(pinfo
, reserved_item
, &ei_smb2_bad_negprot_reserved
);
5978 proto_tree_add_item(tree
, hf_smb2_server_guid
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
5982 offset
= dissect_smb2_capabilities(tree
, tvb
, offset
);
5984 /* max trans size */
5985 proto_tree_add_item(tree
, hf_smb2_max_trans_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5989 proto_tree_add_item(tree
, hf_smb2_max_read_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5992 /* max write size */
5993 proto_tree_add_item(tree
, hf_smb2_max_write_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
5997 dissect_nttime(tvb
, tree
, offset
, hf_smb2_current_time
, ENC_LITTLE_ENDIAN
);
6001 dissect_nttime(tvb
, tree
, offset
, hf_smb2_boot_time
, ENC_LITTLE_ENDIAN
);
6004 /* security blob offset/length */
6005 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &s_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_security_blob
);
6007 /* the security blob itself */
6008 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &s_olb
, si
, dissect_smb2_secblob
);
6010 /* negotiate context offset/reserved2 */
6012 * If 3.10 or later isn't the chosen dialect, this field
6013 * should be dissected as a reserved field
6014 * ...which should always be set to zero by the
6015 * client and ignored by the server.
6017 * [MS-SMB2] says 3.11, but 3.10 is deprecated, and
6018 * it appears to work the same way in this regard
6021 if (si
->conv
->dialect
>= SMB2_DIALECT_310
) {
6022 proto_tree_add_item_ret_uint(tree
, hf_smb2_negotiate_context_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &nco
);
6024 proto_item
*reserved2_item
;
6026 reserved2_item
= proto_tree_add_item_ret_uint(tree
, hf_smb2_negotiate_context_reserved2
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &nco
);
6028 expert_add_info(pinfo
, reserved2_item
, &ei_smb2_bad_negprot_reserved2
);
6034 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &s_olb
);
6036 if (si
->conv
->dialect
== SMB2_DIALECT_300
|| si
->conv
->dialect
== SMB2_DIALECT_302
) {
6037 /* If we know we are decrypting SMB3.0, it must be CCM */
6038 si
->conv
->enc_alg
= SMB2_CIPHER_AES_128_CCM
;
6041 if (si
->conv
->dialect
>= SMB2_DIALECT_300
) {
6042 /* If we know we are decrypting SMB3.0, it's CMAC by default */
6043 si
->conv
->sign_alg
= SMB2_SIGNING_ALG_AES_CMAC
;
6045 si
->conv
->sign_alg
= SMB2_SIGNING_ALG_HMAC_SHA256
;
6048 if (si
->conv
->dialect
< SMB2_DIALECT_310
) {
6053 uint32_t tmp
= 0x40 + 64 + s_olb
.len
;
6056 offset
+= nco
- tmp
;
6062 for (i
= 0; i
< ncc
; i
++) {
6063 offset
= WS_ROUNDUP_8(offset
);
6064 offset
= dissect_smb2_negotiate_context(tvb
, pinfo
, tree
, offset
, si
);
6070 static const true_false_string tfs_additional_owner
= {
6071 "Requesting OWNER security information",
6072 "NOT requesting owner security information",
6075 static const true_false_string tfs_additional_group
= {
6076 "Requesting GROUP security information",
6077 "NOT requesting group security information",
6080 static const true_false_string tfs_additional_dacl
= {
6081 "Requesting DACL security information",
6082 "NOT requesting DACL security information",
6085 static const true_false_string tfs_additional_sacl
= {
6086 "Requesting SACL security information",
6087 "NOT requesting SACL security information",
6090 static const true_false_string tfs_additional_label
= {
6091 "Requesting integrity label security information",
6092 "NOT requesting integrity label security information",
6095 static const true_false_string tfs_additional_attribute
= {
6096 "Requesting resource attribute security information",
6097 "NOT requesting resource attribute security information",
6100 static const true_false_string tfs_additional_scope
= {
6101 "Requesting central access policy security information",
6102 "NOT requesting central access policy security information",
6105 static const true_false_string tfs_additional_backup
= {
6106 "Requesting backup operation security information",
6107 "NOT requesting backup operation security information",
6111 dissect_additional_information_sec_mask(tvbuff_t
*tvb
, proto_tree
*parent_tree
, int offset
)
6113 /* Note that in SMB1 protocol some security flags were not defined yet - see dissect_security_information_mask()
6114 So for SMB2 we have to use own dissector */
6115 static int * const flags
[] = {
6116 &hf_smb2_getsetinfo_additional_owner
,
6117 &hf_smb2_getsetinfo_additional_group
,
6118 &hf_smb2_getsetinfo_additional_dacl
,
6119 &hf_smb2_getsetinfo_additional_sacl
,
6120 &hf_smb2_getsetinfo_additional_label
,
6121 &hf_smb2_getsetinfo_additional_attribute
,
6122 &hf_smb2_getsetinfo_additional_scope
,
6123 &hf_smb2_getsetinfo_additional_backup
,
6127 proto_tree_add_bitmask(parent_tree
, tvb
, offset
, hf_smb2_getsetinfo_additionals
,
6128 ett_smb2_additional_information_sec_mask
, flags
, ENC_LITTLE_ENDIAN
);
6135 dissect_smb2_getinfo_parameters(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
6137 static int* const flag_entries
[] = {
6138 &hf_smb2_query_info_flag_restart_scan
,
6139 &hf_smb2_query_info_flag_return_single_entry
,
6140 &hf_smb2_query_info_flag_index_specified
,
6144 /* Additional Info */
6145 switch (si
->saved
->smb2_class
) {
6146 case SMB2_CLASS_SEC_INFO
:
6147 dissect_additional_information_sec_mask(tvb
, tree
, offset
);
6150 proto_tree_add_item(tree
, hf_smb2_getsetinfo_additional
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
6155 if (si
->saved
->infolevel
== SMB2_FILE_FULL_EA_INFO
) {
6156 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_query_info_flags
, ett_smb2_query_info_flags
, flag_entries
, ENC_LITTLE_ENDIAN
);
6158 proto_tree_add_item(tree
, hf_smb2_getinfo_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
6167 dissect_smb2_getinfo_buffer_quota(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, smb2_info_t
*si _U_
)
6169 uint32_t sidlist_len
= 0;
6170 uint32_t startsid_len
= 0;
6171 uint32_t startsid_offset
= 0;
6173 proto_item
*item
= NULL
;
6174 proto_tree
*tree
= NULL
;
6177 item
= proto_tree_add_item(parent_tree
, hf_smb2_query_quota_info
, tvb
, offset
, -1, ENC_NA
);
6178 tree
= proto_item_add_subtree(item
, ett_smb2_query_quota_info
);
6181 proto_tree_add_item(tree
, hf_smb2_qq_single
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
6184 proto_tree_add_item(tree
, hf_smb2_qq_restart
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
6188 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
6191 proto_tree_add_item_ret_uint(tree
, hf_smb2_qq_sidlist_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &sidlist_len
);
6194 proto_tree_add_item_ret_uint(tree
, hf_smb2_qq_start_sid_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &startsid_len
);
6197 proto_tree_add_item_ret_uint(tree
, hf_smb2_qq_start_sid_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &startsid_offset
);
6200 if (sidlist_len
!= 0) {
6201 offset
= dissect_nt_get_user_quota(tvb
, tree
, offset
, &sidlist_len
);
6202 } else if (startsid_len
!= 0) {
6203 offset
= dissect_nt_sid(tvb
, offset
+ startsid_offset
, tree
, "Start SID", NULL
, -1);
6210 dissect_smb2_class_infolevel(packet_info
*pinfo
, tvbuff_t
*tvb
, int offset
, proto_tree
*tree
, smb2_info_t
*si
)
6215 value_string_ext
*vsx
;
6217 if (si
->flags
& SMB2_FLAGS_RESPONSE
) {
6221 cl
= si
->saved
->smb2_class
;
6222 il
= si
->saved
->infolevel
;
6224 cl
= tvb_get_uint8(tvb
, offset
);
6225 il
= tvb_get_uint8(tvb
, offset
+1);
6227 si
->saved
->smb2_class
= cl
;
6228 si
->saved
->infolevel
= il
;
6234 case SMB2_CLASS_FILE_INFO
:
6235 hfindex
= hf_smb2_infolevel_file_info
;
6236 vsx
= &smb2_file_info_levels_ext
;
6238 case SMB2_CLASS_FS_INFO
:
6239 hfindex
= hf_smb2_infolevel_fs_info
;
6240 vsx
= &smb2_fs_info_levels_ext
;
6242 case SMB2_CLASS_SEC_INFO
:
6243 hfindex
= hf_smb2_infolevel_sec_info
;
6244 vsx
= &smb2_sec_info_levels_ext
;
6246 case SMB2_CLASS_QUOTA_INFO
:
6247 /* infolevel is not being used for quota */
6248 hfindex
= hf_smb2_infolevel
;
6252 hfindex
= hf_smb2_infolevel
;
6253 vsx
= NULL
; /* allowed arg to val_to_str_ext() */
6258 item
= proto_tree_add_uint(tree
, hf_smb2_class
, tvb
, offset
, 1, cl
);
6259 if (si
->flags
& SMB2_FLAGS_RESPONSE
) {
6260 proto_item_set_generated(item
);
6263 item
= proto_tree_add_uint(tree
, hfindex
, tvb
, offset
+1, 1, il
);
6264 if (si
->flags
& SMB2_FLAGS_RESPONSE
) {
6265 proto_item_set_generated(item
);
6269 if (!(si
->flags
& SMB2_FLAGS_RESPONSE
)) {
6270 /* Only update COL_INFO for requests. It clutters the
6271 * display a bit too much if we do it for replies
6274 col_append_fstr(pinfo
->cinfo
, COL_INFO
, " %s/%s",
6275 val_to_str(cl
, smb2_class_vals
, "(Class:0x%02x)"),
6276 val_to_str_ext(il
, vsx
, "(Level:0x%02x)"));
6283 dissect_smb2_getinfo_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
6285 uint32_t getinfo_size
= 0;
6286 uint32_t getinfo_offset
= 0;
6287 proto_item
*offset_item
;
6291 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
6293 /* class and info level */
6294 offset
= dissect_smb2_class_infolevel(pinfo
, tvb
, offset
, tree
, si
);
6296 /* max response size */
6297 proto_tree_add_item(tree
, hf_smb2_max_response_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
6301 offset_item
= proto_tree_add_item_ret_uint(tree
, hf_smb2_getinfo_input_offset
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &getinfo_offset
);
6305 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
6309 proto_tree_add_item_ret_uint(tree
, hf_smb2_getinfo_input_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &getinfo_size
);
6314 offset
= dissect_smb2_getinfo_parameters(tvb
, pinfo
, tree
, offset
, si
);
6316 /* some unknown bytes */
6317 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, 8, ENC_NA
);
6322 if (si
->saved
&& si
->saved
->fid_hash
) {
6323 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
6324 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
6325 proto_item_set_generated(item
);
6329 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
6333 if (getinfo_size
!= 0) {
6335 * 2.2.37 says "For quota requests, this MUST be
6336 * the length of the contained SMB2_QUERY_QUOTA_INFO
6337 * embedded in the request. For FileFullEaInformation
6338 * requests, this MUST be set to the length of the
6339 * user supplied EA list specified in [MS-FSCC]
6340 * section 2.4.15.1. For other information queries,
6341 * this field SHOULD be set to 0 and the server MUST
6342 * ignore it on receipt.
6344 * This seems to imply that, for requests other
6345 * than those to types, we should either completely
6346 * ignore a non-zero getinfo_size or should, at
6347 * most, add a warning-level expert info at the
6348 * protocol level saying that it should be zero,
6349 * but not try and interpret it or check its
6352 if (si
->saved
->smb2_class
== SMB2_CLASS_QUOTA_INFO
||
6353 (si
->saved
->smb2_class
== SMB2_CLASS_FILE_INFO
&&
6354 si
->saved
->infolevel
== SMB2_FILE_FULL_EA_INFO
)) {
6356 * According to 2.2.37 SMB2 QUERY_INFO
6357 * Request in the current MS-SMB2 spec,
6358 * these are the only info requests that
6359 * have an input buffer.
6363 * Make sure that the input buffer is after
6364 * the fixed-length part of the message.
6366 if (getinfo_offset
< (unsigned)offset
) {
6367 expert_add_info(pinfo
, offset_item
, &ei_smb2_invalid_getinfo_offset
);
6372 * Make sure the input buffer is within the
6373 * message, i.e. that it's within the tvbuff.
6375 * We check for offset+length overflowing and
6376 * for offset+length being beyond the reported
6377 * length of the tvbuff.
6379 if (getinfo_offset
+ getinfo_size
< getinfo_offset
||
6380 getinfo_offset
+ getinfo_size
> tvb_reported_length(tvb
)) {
6381 expert_add_info(pinfo
, offset_item
, &ei_smb2_invalid_getinfo_size
);
6385 if (si
->saved
->smb2_class
== SMB2_CLASS_QUOTA_INFO
) {
6386 dissect_smb2_getinfo_buffer_quota(tvb
, pinfo
, tree
, getinfo_offset
, si
);
6389 * XXX - handle user supplied EA info.
6391 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, getinfo_offset
, getinfo_size
, ENC_NA
);
6393 offset
= getinfo_offset
+ getinfo_size
;
6397 * The buffer size is 0, meaning it's not present.
6399 * 2.2.37 says "For FileFullEaInformation requests,
6400 * the input buffer MUST contain the user supplied
6401 * EA list with zero or more FILE_GET_EA_INFORMATION
6402 * structures, specified in [MS-FSCC] section
6403 * 2.4.15.1.", so it seems that, for a "get full
6404 * EA information" request, the size can be zero -
6405 * there's no other obvious way for the list to
6406 * have zero structures.
6408 * 2.2.37 also says "For quota requests, the input
6409 * buffer MUST contain an SMB2_QUERY_QUOTA_INFO,
6410 * as specified in section 2.2.37.1."; that seems
6411 * to imply that the input buffer must not be empty
6414 if (si
->saved
->smb2_class
== SMB2_CLASS_QUOTA_INFO
)
6415 expert_add_info(pinfo
, offset_item
, &ei_smb2_empty_getinfo_buffer
);
6423 dissect_smb2_infolevel(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si
, uint8_t smb2_class
, uint8_t infolevel
)
6425 int old_offset
= offset
;
6427 switch (smb2_class
) {
6428 case SMB2_CLASS_FILE_INFO
:
6429 switch (infolevel
) {
6430 case SMB2_FILE_BASIC_INFO
:
6431 offset
= dissect_smb2_file_basic_info(tvb
, pinfo
, tree
, offset
, si
);
6433 case SMB2_FILE_STANDARD_INFO
:
6434 offset
= dissect_smb2_file_standard_info(tvb
, pinfo
, tree
, offset
, si
);
6436 case SMB2_FILE_INTERNAL_INFO
:
6437 offset
= dissect_smb2_file_internal_info(tvb
, pinfo
, tree
, offset
, si
);
6439 case SMB2_FILE_EA_INFO
:
6440 offset
= dissect_smb2_file_ea_info(tvb
, pinfo
, tree
, offset
, si
);
6442 case SMB2_FILE_ACCESS_INFO
:
6443 offset
= dissect_smb2_file_access_info(tvb
, pinfo
, tree
, offset
, si
);
6445 case SMB2_FILE_RENAME_INFO
:
6446 offset
= dissect_smb2_file_rename_info(tvb
, pinfo
, tree
, offset
, si
);
6448 case SMB2_FILE_LINK_INFO
:
6449 offset
= dissect_smb2_file_link_info(tvb
, pinfo
, tree
, offset
, si
);
6451 case SMB2_FILE_DISPOSITION_INFO
:
6452 offset
= dissect_smb2_file_disposition_info(tvb
, pinfo
, tree
, offset
, si
);
6454 case SMB2_FILE_POSITION_INFO
:
6455 offset
= dissect_smb2_file_position_info(tvb
, pinfo
, tree
, offset
, si
);
6457 case SMB2_FILE_FULL_EA_INFO
:
6458 offset
= dissect_smb2_file_full_ea_info(tvb
, pinfo
, tree
, offset
, si
);
6460 case SMB2_FILE_MODE_INFO
:
6461 offset
= dissect_smb2_file_mode_info(tvb
, pinfo
, tree
, offset
, si
);
6463 case SMB2_FILE_ALIGNMENT_INFO
:
6464 offset
= dissect_smb2_file_alignment_info(tvb
, pinfo
, tree
, offset
, si
);
6466 case SMB2_FILE_ALL_INFO
:
6467 offset
= dissect_smb2_file_all_info(tvb
, pinfo
, tree
, offset
, si
);
6469 case SMB2_FILE_ALLOCATION_INFO
:
6470 offset
= dissect_smb2_file_allocation_info(tvb
, pinfo
, tree
, offset
, si
);
6472 case SMB2_FILE_ENDOFFILE_INFO
:
6473 dissect_smb2_file_endoffile_info(tvb
, pinfo
, tree
, offset
, si
);
6475 case SMB2_FILE_ALTERNATE_NAME_INFO
:
6476 offset
= dissect_smb2_file_alternate_name_info(tvb
, pinfo
, tree
, offset
, si
);
6478 case SMB2_FILE_STREAM_INFO
:
6479 offset
= dissect_smb2_file_stream_info(tvb
, pinfo
, tree
, offset
, si
);
6481 case SMB2_FILE_PIPE_INFO
:
6482 offset
= dissect_smb2_file_pipe_info(tvb
, pinfo
, tree
, offset
, si
);
6484 case SMB2_FILE_COMPRESSION_INFO
:
6485 offset
= dissect_smb2_file_compression_info(tvb
, pinfo
, tree
, offset
, si
);
6487 case SMB2_FILE_NETWORK_OPEN_INFO
:
6488 offset
= dissect_smb2_file_network_open_info(tvb
, pinfo
, tree
, offset
, si
);
6490 case SMB2_FILE_ATTRIBUTE_TAG_INFO
:
6491 offset
= dissect_smb2_file_attribute_tag_info(tvb
, pinfo
, tree
, offset
, si
);
6493 case SMB2_FILE_NORMALIZED_NAME_INFO
:
6494 offset
= dissect_smb2_file_normalized_name_info(tvb
, pinfo
, tree
, offset
, si
);
6496 case SMB2_FILE_POSIX_INFO
:
6497 offset
= dissect_smb2_posix_info(tvb
, pinfo
, tree
, offset
, si
);
6500 /* we don't handle this infolevel yet */
6501 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, tvb_captured_length_remaining(tvb
, offset
), ENC_NA
);
6502 offset
+= tvb_captured_length_remaining(tvb
, offset
);
6505 case SMB2_CLASS_FS_INFO
:
6506 switch (infolevel
) {
6507 case SMB2_FS_INFO_01
:
6508 offset
= dissect_smb2_fs_info_01(tvb
, pinfo
, tree
, offset
, si
);
6510 case SMB2_FS_INFO_03
:
6511 offset
= dissect_smb2_fs_info_03(tvb
, pinfo
, tree
, offset
, si
);
6513 case SMB2_FS_INFO_04
:
6514 offset
= dissect_smb2_fs_info_04(tvb
, pinfo
, tree
, offset
, si
);
6516 case SMB2_FS_INFO_05
:
6517 offset
= dissect_smb2_fs_info_05(tvb
, pinfo
, tree
, offset
, si
);
6519 case SMB2_FS_INFO_06
:
6520 offset
= dissect_smb2_fs_info_06(tvb
, pinfo
, tree
, offset
, si
);
6522 case SMB2_FS_INFO_07
:
6523 offset
= dissect_smb2_fs_info_07(tvb
, pinfo
, tree
, offset
, si
);
6525 case SMB2_FS_OBJECTID_INFO
:
6526 offset
= dissect_smb2_FS_OBJECTID_INFO(tvb
, pinfo
, tree
, offset
, si
);
6528 case SMB2_FS_POSIX_INFO
:
6529 offset
= dissect_smb2_fs_posix_info(tvb
, pinfo
, tree
, offset
, si
);
6532 /* we don't handle this infolevel yet */
6533 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, tvb_captured_length_remaining(tvb
, offset
), ENC_NA
);
6534 offset
+= tvb_captured_length_remaining(tvb
, offset
);
6537 case SMB2_CLASS_SEC_INFO
:
6538 switch (infolevel
) {
6539 case SMB2_SEC_INFO_00
:
6540 offset
= dissect_smb2_sec_info_00(tvb
, pinfo
, tree
, offset
, si
);
6543 /* we don't handle this infolevel yet */
6544 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, tvb_captured_length_remaining(tvb
, offset
), ENC_NA
);
6545 offset
+= tvb_captured_length_remaining(tvb
, offset
);
6548 case SMB2_CLASS_QUOTA_INFO
:
6549 offset
= dissect_smb2_quota_info(tvb
, pinfo
, tree
, offset
, si
);
6552 /* we don't handle this class yet */
6553 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, tvb_captured_length_remaining(tvb
, offset
), ENC_NA
);
6554 offset
+= tvb_captured_length_remaining(tvb
, offset
);
6557 /* if we get BUFFER_OVERFLOW there will be truncated data */
6558 if (si
->status
== 0x80000005) {
6560 item
= proto_tree_add_item(tree
, hf_smb2_truncated
, tvb
, old_offset
, 0, ENC_NA
);
6561 proto_item_set_generated(item
);
6567 dissect_smb2_getinfo_response_data(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
)
6571 dissect_smb2_infolevel(tvb
, pinfo
, tree
, 0, si
, si
->saved
->smb2_class
, si
->saved
->infolevel
);
6573 /* some unknown bytes */
6574 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, 0, tvb_captured_length(tvb
), ENC_NA
);
6581 dissect_smb2_getinfo_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
6583 offset_length_buffer_t olb
;
6584 bool continue_dissection
;
6587 /* class/infolevel */
6588 dissect_smb2_class_infolevel(pinfo
, tvb
, offset
, tree
, si
);
6590 switch (si
->status
) {
6592 /* if we get BUFFER_OVERFLOW there will be truncated data */
6594 /* if we get BUFFER_TOO_SMALL there will not be any data there, only
6595 * a guin32 specifying how big the buffer needs to be
6598 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
6601 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
6602 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &olb
, OLB_O_UINT16_S_UINT32
, -1);
6603 proto_tree_add_item(tree
, hf_smb2_required_buffer_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
6607 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
6608 if (!continue_dissection
) return offset
;
6611 /* response buffer offset and size */
6612 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &olb
, OLB_O_UINT16_S_UINT32
, -1);
6615 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &olb
, si
, dissect_smb2_getinfo_response_data
);
6618 if (si
->saved
&& si
->saved
->fid_hash
) {
6619 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
6620 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
6621 proto_item_set_generated(item
);
6628 dissect_smb2_close_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
6630 proto_tree
*flags_tree
= NULL
;
6631 proto_item
*flags_item
= NULL
;
6635 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
6639 flags_item
= proto_tree_add_item(tree
, hf_smb2_close_flags
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
6640 flags_tree
= proto_item_add_subtree(flags_item
, ett_smb2_close_flags
);
6642 proto_tree_add_item(flags_tree
, hf_smb2_close_pq_attrib
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
6649 if (si
->saved
&& si
->saved
->fid_hash
) {
6650 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
6651 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
6652 proto_item_set_generated(item
);
6656 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_CLOSE
);
6662 dissect_smb2_close_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
6664 proto_tree
*flags_tree
= NULL
;
6665 proto_item
*flags_item
= NULL
;
6667 bool continue_dissection
;
6669 switch (si
->status
) {
6671 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
6672 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
6673 if (!continue_dissection
) return offset
;
6678 flags_item
= proto_tree_add_item(tree
, hf_smb2_close_flags
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
6679 flags_tree
= proto_item_add_subtree(flags_item
, ett_smb2_close_flags
);
6681 proto_tree_add_item(flags_tree
, hf_smb2_close_pq_attrib
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
6685 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
6689 dissect_nttime(tvb
, tree
, offset
, hf_smb2_create_timestamp
, ENC_LITTLE_ENDIAN
);
6693 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_access_timestamp
, ENC_LITTLE_ENDIAN
);
6697 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_write_timestamp
, ENC_LITTLE_ENDIAN
);
6701 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_change_timestamp
, ENC_LITTLE_ENDIAN
);
6704 /* allocation size */
6705 proto_tree_add_item(tree
, hf_smb2_allocation_size
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
6709 proto_tree_add_item(tree
, hf_smb2_end_of_file
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
6712 /* File Attributes */
6713 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, NULL
);
6716 if (si
->saved
&& si
->saved
->fid_hash
) {
6717 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
6718 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
6719 proto_item_set_generated(item
);
6726 dissect_smb2_flush_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
6731 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
6734 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
6738 proto_tree_add_item(tree
, hf_smb2_flush_reserved2
, tvb
, offset
, 4, ENC_NA
);
6742 if (si
->saved
&& si
->saved
->fid_hash
) {
6743 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
6744 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
6745 proto_item_set_generated(item
);
6749 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
6755 dissect_smb2_flush_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
6757 bool continue_dissection
;
6760 switch (si
->status
) {
6762 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
6763 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
6764 if (!continue_dissection
) return offset
;
6768 if (si
->saved
&& si
->saved
->fid_hash
) {
6769 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
6770 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
6771 proto_item_set_generated(item
);
6774 /* reserved bytes */
6775 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
6783 dissect_smb2_lock_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
6785 uint16_t lock_count
;
6789 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
6792 lock_count
= tvb_get_letohs(tvb
, offset
);
6793 proto_tree_add_item(tree
, hf_smb2_lock_count
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
6796 /* Lock Sequence Number/Index */
6797 proto_tree_add_item(tree
, hf_smb2_lock_sequence_number
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
6798 proto_tree_add_item(tree
, hf_smb2_lock_sequence_index
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
6802 if (si
->saved
&& si
->saved
->fid_hash
) {
6803 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
6804 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
6805 proto_item_set_generated(item
);
6809 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
6811 while (lock_count
--) {
6812 proto_item
*lock_item
= NULL
;
6813 proto_tree
*lock_tree
= NULL
;
6814 static int * const lf_fields
[] = {
6815 &hf_smb2_lock_flags_shared
,
6816 &hf_smb2_lock_flags_exclusive
,
6817 &hf_smb2_lock_flags_unlock
,
6818 &hf_smb2_lock_flags_fail_immediately
,
6823 lock_item
= proto_tree_add_item(tree
, hf_smb2_lock_info
, tvb
, offset
, 24, ENC_NA
);
6824 lock_tree
= proto_item_add_subtree(lock_item
, ett_smb2_lock_info
);
6828 proto_tree_add_item(tree
, hf_smb2_file_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
6832 proto_tree_add_item(lock_tree
, hf_smb2_lock_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
6836 proto_tree_add_bitmask(lock_tree
, tvb
, offset
, hf_smb2_lock_flags
, ett_smb2_lock_flags
, lf_fields
, ENC_LITTLE_ENDIAN
);
6840 proto_tree_add_item(lock_tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
6848 dissect_smb2_lock_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
6850 bool continue_dissection
;
6853 switch (si
->status
) {
6855 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
6856 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
6857 if (!continue_dissection
) return offset
;
6861 if (si
->saved
&& si
->saved
->fid_hash
) {
6862 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
6863 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
6864 proto_item_set_generated(item
);
6868 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
6874 dissect_smb2_cancel_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
6877 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
6879 /* some unknown bytes */
6880 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, 2, ENC_NA
);
6886 static const smb2_fid_info_t
*
6887 smb2_pipe_get_fid_info(const smb2_info_t
*si
)
6889 smb2_fid_info_t
*file
= NULL
;
6894 if (si
->file
!= NULL
) {
6896 } else if (si
->saved
!= NULL
) {
6897 file
= si
->saved
->file
;
6907 smb2_pipe_set_file_id(packet_info
*pinfo
, smb2_info_t
*si
)
6909 uint64_t persistent
;
6910 const smb2_fid_info_t
*file
= NULL
;
6912 file
= smb2_pipe_get_fid_info(si
);
6917 persistent
= GPOINTER_TO_UINT(file
);
6919 dcerpc_set_transport_salt(persistent
, pinfo
);
6922 static bool smb2_pipe_reassembly
= true;
6923 static bool smb2_verify_signatures
;
6924 static reassembly_table smb2_pipe_reassembly_table
;
6927 dissect_file_data_smb2_pipe(tvbuff_t
*raw_tvb
, packet_info
*pinfo
, proto_tree
*tree _U_
, int offset
, uint32_t datalen
, proto_tree
*top_tree
, void *data
)
6930 * Note: si is NULL for some callers from packet-smb.c
6932 const smb2_info_t
*si
= (const smb2_info_t
*)data
;
6934 bool save_fragmented
;
6936 unsigned reported_len
;
6937 const smb2_fid_info_t
*file
= NULL
;
6939 fragment_head
*fd_head
;
6940 fragment_item
*fd_i
;
6943 proto_item
*frag_tree_item
;
6944 heur_dtbl_entry_t
*hdtbl_entry
;
6946 file
= smb2_pipe_get_fid_info(si
);
6947 id
= (uint32_t)(GPOINTER_TO_UINT(file
) & UINT32_MAX
);
6949 remaining
= tvb_captured_length_remaining(raw_tvb
, offset
);
6951 tvb
= tvb_new_subset_length_caplen(raw_tvb
, offset
,
6952 MIN((int)datalen
, remaining
),
6956 * Offer desegmentation service to Named Pipe subdissectors (e.g. DCERPC)
6957 * if we have all the data. Otherwise, reassembly is (probably) impossible.
6959 pinfo
->can_desegment
= 0;
6960 pinfo
->desegment_offset
= 0;
6961 pinfo
->desegment_len
= 0;
6962 reported_len
= tvb_reported_length(tvb
);
6963 if (smb2_pipe_reassembly
&& tvb_captured_length(tvb
) >= reported_len
) {
6964 pinfo
->can_desegment
= 2;
6967 save_fragmented
= pinfo
->fragmented
;
6970 * if we are not offering desegmentation, just try the heuristics
6973 if (!pinfo
->can_desegment
) {
6974 result
= dissector_try_heuristic(smb2_pipe_subdissector_list
,
6975 tvb
, pinfo
, top_tree
,
6976 &hdtbl_entry
, data
);
6977 goto clean_up_and_exit
;
6980 /* below this line, we know we are doing reassembly */
6983 * this is a new packet, see if we are already reassembling this
6984 * pdu and if not, check if the dissector wants us
6987 if (!pinfo
->fd
->visited
) {
6989 * This is the first pass.
6991 * Check if we are already reassembling this PDU or not;
6992 * we check for an in-progress reassembly for this FID
6993 * in this direction, by searching for its reassembly
6996 fd_head
= fragment_get(&smb2_pipe_reassembly_table
,
7000 * No reassembly, so this is a new pdu. check if the
7001 * dissector wants us to reassemble it or if we
7002 * already got the full pdu in this tvb.
7006 * Try the heuristic dissectors and see if we
7007 * find someone that recognizes this payload.
7009 result
= dissector_try_heuristic(smb2_pipe_subdissector_list
,
7010 tvb
, pinfo
, top_tree
,
7011 &hdtbl_entry
, data
);
7013 /* no this didn't look like something we know */
7015 goto clean_up_and_exit
;
7018 /* did the subdissector want us to reassemble any
7021 if (pinfo
->desegment_len
) {
7022 fragment_add_check(&smb2_pipe_reassembly_table
,
7023 tvb
, 0, pinfo
, id
, NULL
,
7024 0, reported_len
, true);
7025 fragment_set_tot_len(&smb2_pipe_reassembly_table
,
7027 pinfo
->desegment_len
+reported_len
);
7029 goto clean_up_and_exit
;
7032 /* OK, we're already doing a reassembly for this FID.
7033 skip to last segment in the existing reassembly structure
7034 and add this fragment there
7036 XXX we might add code here to use any offset values
7037 we might pick up from the Read/Write calls instead of
7038 assuming we always get them in the correct order
7040 for (fd_i
= fd_head
->next
; fd_i
->next
; fd_i
= fd_i
->next
) {}
7041 fd_head
= fragment_add_check(&smb2_pipe_reassembly_table
,
7042 tvb
, 0, pinfo
, id
, NULL
,
7043 fd_i
->offset
+fd_i
->len
,
7044 reported_len
, true);
7046 /* if we completed reassembly */
7048 new_tvb
= tvb_new_chain(tvb
, fd_head
->tvb_data
);
7049 add_new_data_source(pinfo
, new_tvb
,
7050 "Named Pipe over SMB2");
7051 pinfo
->fragmented
=false;
7055 /* list what segments we have */
7056 show_fragment_tree(fd_head
, &smb2_pipe_frag_items
,
7057 tree
, pinfo
, tvb
, &frag_tree_item
);
7059 /* dissect the full PDU */
7060 result
= dissector_try_heuristic(smb2_pipe_subdissector_list
,
7061 tvb
, pinfo
, top_tree
,
7062 &hdtbl_entry
, data
);
7064 goto clean_up_and_exit
;
7068 * This is not the first pass; see if it's in the table of
7069 * reassembled packets.
7071 * XXX - we know that several of the arguments aren't going to
7072 * be used, so we pass bogus variables. Can we clean this
7073 * up so that we don't have to distinguish between the first
7074 * pass and subsequent passes?
7076 fd_head
= fragment_add_check(&smb2_pipe_reassembly_table
,
7077 tvb
, 0, pinfo
, id
, NULL
, 0, 0, true);
7079 /* we didn't find it, try any of the heuristic dissectors
7082 result
= dissector_try_heuristic(smb2_pipe_subdissector_list
,
7083 tvb
, pinfo
, top_tree
,
7084 &hdtbl_entry
, data
);
7085 goto clean_up_and_exit
;
7087 if (!(fd_head
->flags
&FD_DEFRAGMENTED
)) {
7088 /* we don't have a fully reassembled frame */
7089 result
= dissector_try_heuristic(smb2_pipe_subdissector_list
,
7090 tvb
, pinfo
, top_tree
,
7091 &hdtbl_entry
, data
);
7092 goto clean_up_and_exit
;
7095 /* it is reassembled but it was reassembled in a different frame */
7096 if (pinfo
->num
!= fd_head
->reassembled_in
) {
7098 item
= proto_tree_add_uint(top_tree
, hf_smb2_pipe_reassembled_in
,
7099 tvb
, 0, 0, fd_head
->reassembled_in
);
7100 proto_item_set_generated(item
);
7101 goto clean_up_and_exit
;
7104 /* display the reassembled pdu */
7105 new_tvb
= tvb_new_chain(tvb
, fd_head
->tvb_data
);
7106 add_new_data_source(pinfo
, new_tvb
,
7107 "Named Pipe over SMB2");
7108 pinfo
->fragmented
= false;
7112 /* list what segments we have */
7113 show_fragment_tree(fd_head
, &smb2_pipe_frag_items
,
7114 top_tree
, pinfo
, tvb
, &frag_tree_item
);
7116 /* dissect the full PDU */
7117 result
= dissector_try_heuristic(smb2_pipe_subdissector_list
,
7118 tvb
, pinfo
, top_tree
,
7119 &hdtbl_entry
, data
);
7122 /* clear out the variables */
7123 pinfo
->can_desegment
=0;
7124 pinfo
->desegment_offset
= 0;
7125 pinfo
->desegment_len
= 0;
7128 call_data_dissector(tvb
, pinfo
, top_tree
);
7131 pinfo
->fragmented
= save_fragmented
;
7137 #define SMB2_CHANNEL_NONE 0x00000000
7138 #define SMB2_CHANNEL_RDMA_V1 0x00000001
7139 #define SMB2_CHANNEL_RDMA_V1_INVALIDATE 0x00000002
7140 #define SMB2_CHANNEL_RDMA_TRANSFORM 0x00000003
7142 static const value_string smb2_channel_vals
[] = {
7143 { SMB2_CHANNEL_NONE
, "None" },
7144 { SMB2_CHANNEL_RDMA_V1
, "RDMA V1" },
7145 { SMB2_CHANNEL_RDMA_V1_INVALIDATE
, "RDMA V1_INVALIDATE" },
7146 { SMB2_CHANNEL_RDMA_TRANSFORM
, "RDMA TRANSFORM" },
7151 dissect_smb2_rdma_v1_blob(tvbuff_t
*tvb
, packet_info
*pinfo _U_
,
7152 proto_tree
*parent_tree
, smb2_info_t
*si _U_
)
7158 proto_tree
*sub_tree
;
7159 proto_item
*parent_item
;
7161 parent_item
= proto_tree_get_parent(parent_tree
);
7163 len
= tvb_reported_length(tvb
);
7168 proto_item_append_text(parent_item
, ": SMBDirect Buffer Descriptor V1: (%d elements)", num
);
7171 for (i
= 0; i
< num
; i
++) {
7172 sub_tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 8, ett_smb2_rdma_v1
, NULL
, "RDMA V1");
7174 proto_tree_add_item(sub_tree
, hf_smb2_rdma_v1_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7177 proto_tree_add_item(sub_tree
, hf_smb2_rdma_v1_token
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7180 proto_tree_add_item(sub_tree
, hf_smb2_rdma_v1_length
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7185 #define SMB2_WRITE_FLAG_WRITE_THROUGH 0x00000001
7186 #define SMB2_WRITE_FLAG_WRITE_UNBUFFERED 0x00000002
7188 static const true_false_string tfs_write_through
= {
7189 "Client is asking for WRITE_THROUGH",
7190 "Client is NOT asking for WRITE_THROUGH"
7193 static const true_false_string tfs_write_unbuffered
= {
7194 "Client is asking for UNBUFFERED write",
7195 "Client is NOT asking for UNBUFFERED write"
7199 dissect_smb2_write_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
7201 uint16_t dataoffset
= 0;
7202 uint32_t data_tvb_len
;
7203 offset_length_buffer_t c_olb
;
7208 static int * const f_fields
[] = {
7209 &hf_smb2_write_flags_write_through
,
7210 &hf_smb2_write_flags_write_unbuffered
,
7215 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
7218 dataoffset
=tvb_get_letohs(tvb
,offset
);
7219 proto_tree_add_item(tree
, hf_smb2_data_offset
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7223 length
= tvb_get_letohl(tvb
, offset
);
7224 proto_tree_add_item(tree
, hf_smb2_write_length
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7228 off
= tvb_get_letoh64(tvb
, offset
);
7229 if (si
->saved
) si
->saved
->file_offset
=off
;
7230 proto_tree_add_item(tree
, hf_smb2_file_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7233 col_append_fstr(pinfo
->cinfo
, COL_INFO
, " Len:%d Off:%" PRIu64
, length
, off
);
7236 if (si
->saved
&& si
->saved
->fid_hash
) {
7237 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
7238 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
7239 proto_item_set_generated(item
);
7243 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
7246 channel
= tvb_get_letohl(tvb
, offset
);
7247 proto_tree_add_item(tree
, hf_smb2_channel
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7250 /* remaining bytes */
7251 proto_tree_add_item(tree
, hf_smb2_remaining_bytes
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7254 /* write channel info blob offset/length */
7255 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &c_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_channel_info_blob
);
7258 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_write_flags
, ett_smb2_write_flags
, f_fields
, ENC_LITTLE_ENDIAN
);
7261 /* the write channel info blob itself */
7263 case SMB2_CHANNEL_RDMA_V1
:
7264 case SMB2_CHANNEL_RDMA_V1_INVALIDATE
:
7265 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &c_olb
, si
, dissect_smb2_rdma_v1_blob
);
7267 case SMB2_CHANNEL_NONE
:
7269 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &c_olb
, si
, NULL
);
7273 data_tvb_len
=(uint32_t)tvb_captured_length_remaining(tvb
, offset
);
7275 /* data or namedpipe ?*/
7277 int oldoffset
= offset
;
7278 smb2_pipe_set_file_id(pinfo
, si
);
7279 offset
= dissect_file_data_smb2_pipe(tvb
, pinfo
, tree
, offset
, length
, si
->top_tree
, si
);
7280 if (offset
!= oldoffset
) {
7281 /* managed to dissect pipe data */
7286 /* just ordinary data */
7287 proto_tree_add_item(tree
, hf_smb2_write_data
, tvb
, offset
, length
, ENC_NA
);
7289 offset
+= MIN(length
,(uint32_t)tvb_captured_length_remaining(tvb
, offset
));
7291 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &c_olb
);
7294 if (have_tap_listener(smb2_eo_tap
) && (data_tvb_len
== length
)) {
7295 if (si
->saved
&& si
->eo_file_info
) { /* without this data we don't know which file this belongs to */
7296 feed_eo_smb2(tvb
,pinfo
,si
,dataoffset
,length
,off
);
7305 dissect_smb2_write_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
7307 bool continue_dissection
;
7310 switch (si
->status
) {
7312 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
7313 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
7314 if (!continue_dissection
) return offset
;
7318 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
7322 if (si
->saved
&& si
->saved
->fid_hash
) {
7323 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
7324 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
7325 proto_item_set_generated(item
);
7329 proto_tree_add_item(tree
, hf_smb2_write_count
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7332 /* remaining, must be set to 0 */
7333 proto_tree_add_item(tree
, hf_smb2_write_remaining
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7336 /* write channel info offset */
7337 proto_tree_add_item(tree
, hf_smb2_channel_info_offset
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7340 /* write channel info length */
7341 proto_tree_add_item(tree
, hf_smb2_channel_info_length
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7347 /* The STORAGE_OFFLOAD_TOKEN is used for "Offload Data Transfer" (ODX) operations,
7348 including FSCTL_OFFLOAD_READ, FSCTL_OFFLOAD_WRITE. Ref: MS-FSCC 2.3.79
7349 Note: Unlike most of SMB2, the token fields are BIG-endian! */
7351 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
)
7353 proto_tree
*sub_tree
;
7354 proto_item
*sub_item
;
7356 uint32_t idtype
= 0;
7358 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, 512, ett_smb2_fsctl_odx_token
, &sub_item
, "Token");
7360 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_fsctl_odx_token_type
, tvb
, offset
, 4, ENC_BIG_ENDIAN
, &idtype
);
7363 proto_item_append_text(sub_item
, " (IdType 0x%x)", idtype
);
7366 proto_tree_add_item(sub_tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
7370 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_fsctl_odx_token_idlen
, tvb
, offset
, 2, ENC_BIG_ENDIAN
, &idlen
);
7373 /* idlen is what the server says is the "meaningful" part of the token.
7374 However, token ID is always 504 bytes */
7375 proto_tree_add_bytes_format_value(sub_tree
, hf_smb2_fsctl_odx_token_idraw
, tvb
,
7376 offset
, idlen
, NULL
, "Opaque Data");
7382 /* MS-FSCC 2.3.77, 2.3.78 */
7384 dissect_smb2_FSCTL_OFFLOAD_READ(tvbuff_t
*tvb
,
7385 packet_info
*pinfo _U_
,
7390 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7393 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7397 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_token_ttl
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7400 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
7403 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_file_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7406 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_copy_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7409 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_xfer_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7412 (void) dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb
, pinfo
, tree
, offset
);
7416 /* MS-FSCC 2.3.80, 2.3.81 */
7418 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvbuff_t
*tvb
,
7419 packet_info
*pinfo _U_
,
7424 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7427 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7431 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_file_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7434 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_copy_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7437 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_token_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7440 dissect_smb2_STORAGE_OFFLOAD_TOKEN(tvb
, pinfo
, tree
, offset
);
7443 proto_tree_add_item(tree
, hf_smb2_fsctl_odx_xfer_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7449 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, proto_tree
*top_tree
, bool data_in _U_
, void *data
)
7451 dissect_file_data_smb2_pipe(tvb
, pinfo
, tree
, offset
, tvb_captured_length_remaining(tvb
, offset
), top_tree
, data
);
7455 dissect_smb2_FSCTL_PIPE_WAIT(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree _U_
, int offset
, proto_tree
*top_tree
, bool data_in _U_
)
7459 uint8_t timeout_specified
;
7460 char *display_string
;
7463 timeout_offset
= offset
;
7467 /* XXX - put the name length into the tree */
7468 name_len
= tvb_get_letohl(tvb
, offset
);
7471 /* Timeout specified */
7472 timeout_specified
= tvb_get_uint8(tvb
, offset
);
7473 if (timeout_specified
) {
7474 proto_tree_add_item(top_tree
, hf_smb2_fsctl_pipe_wait_timeout
,
7475 tvb
, timeout_offset
, 8, ENC_LITTLE_ENDIAN
);
7483 proto_tree_add_item_ret_display_string(top_tree
, hf_smb2_fsctl_pipe_wait_name
,
7484 tvb
, offset
, name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
,
7485 pinfo
->pool
, &display_string
);
7487 col_append_fstr(pinfo
->cinfo
, COL_INFO
, " Pipe: %s", display_string
);
7491 dissect_smb2_FSCTL_SET_SPARSE(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
7494 /* There is no out data */
7499 /* sparse flag (optional) */
7500 if (tvb_reported_length_remaining(tvb
, offset
) >= 1) {
7501 proto_tree_add_item(tree
, hf_smb2_fsctl_sparse_flag
, tvb
, offset
, 1, ENC_NA
);
7509 dissect_smb2_FSCTL_SET_ZERO_DATA(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
7511 proto_tree
*sub_tree
;
7512 proto_item
*sub_item
;
7514 /* There is no out data */
7519 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, 16, ett_smb2_fsctl_range_data
, &sub_item
, "Range");
7521 proto_tree_add_item(sub_tree
, hf_smb2_fsctl_range_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7524 proto_tree_add_item(sub_tree
, hf_smb2_fsctl_range_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7531 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvbuff_t
*tvb _U_
, packet_info
*pinfo _U_
, proto_tree
*tree _U_
, int offset _U_
, bool data_in
)
7533 proto_tree
*sub_tree
;
7534 proto_item
*sub_item
;
7537 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, 16, ett_smb2_fsctl_range_data
, &sub_item
, "Range");
7539 proto_tree_add_item(sub_tree
, hf_smb2_fsctl_range_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7542 proto_tree_add_item(sub_tree
, hf_smb2_fsctl_range_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7545 /* Zero or more allocated ranges may be reported. */
7546 while (tvb_reported_length_remaining(tvb
, offset
) >= 16) {
7548 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, 16, ett_smb2_fsctl_range_data
, &sub_item
, "Range");
7550 proto_tree_add_item(sub_tree
, hf_smb2_fsctl_range_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7553 proto_tree_add_item(sub_tree
, hf_smb2_fsctl_range_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7561 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvbuff_t
*tvb _U_
, packet_info
*pinfo _U_
, proto_tree
*tree _U_
, int offset _U_
, bool data_in
)
7565 proto_tree_add_item(tree
, hf_smb2_file_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7568 proto_tree_add_item(tree
, hf_smb2_qfr_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7571 proto_tree_add_item(tree
, hf_smb2_qfr_usage
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7574 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
7577 uint32_t entry_count
= 0;
7579 proto_tree_add_item(tree
, hf_smb2_qfr_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7582 proto_tree_add_item(tree
, hf_smb2_qfr_total_region_entry_count
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7585 proto_tree_add_item_ret_uint(tree
, hf_smb2_qfr_region_entry_count
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &entry_count
);
7588 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
7591 while (entry_count
&& tvb_reported_length_remaining(tvb
, offset
)) {
7592 proto_tree
*sub_tree
;
7593 proto_item
*sub_item
;
7595 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, 24, ett_qfr_entry
, &sub_item
, "Entry");
7597 proto_tree_add_item(sub_tree
, hf_smb2_file_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7600 proto_tree_add_item(sub_tree
, hf_smb2_qfr_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7603 proto_tree_add_item(sub_tree
, hf_smb2_qfr_usage
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7606 proto_tree_add_item(sub_tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
7615 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
7617 /* There is no out data */
7623 proto_tree_add_item(tree
, hf_smb2_ioctl_resiliency_timeout
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7627 proto_tree_add_item(tree
, hf_smb2_ioctl_resiliency_reserved
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7631 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
7633 /* There is no in data */
7638 proto_tree_add_item(tree
, hf_smb2_ioctl_shared_virtual_disk_support
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7641 proto_tree_add_item(tree
, hf_smb2_ioctl_shared_virtual_disk_handle_state
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7644 #define STORAGE_QOS_CONTROL_FLAG_SET_LOGICAL_FLOW_ID 0x00000001
7645 #define STORAGE_QOS_CONTROL_FLAG_SET_POLICY 0x00000002
7646 #define STORAGE_QOS_CONTROL_FLAG_PROBE_POLICY 0x00000004
7647 #define STORAGE_QOS_CONTROL_FLAG_GET_STATUS 0x00000008
7648 #define STORAGE_QOS_CONTROL_FLAG_UPDATE_COUNTERS 0x00000010
7650 static const value_string smb2_ioctl_sqos_protocol_version_vals
[] = {
7651 { 0x0100, "Storage QoS Protocol Version 1.0" },
7652 { 0x0101, "Storage QoS Protocol Version 1.1" },
7656 static const value_string smb2_ioctl_sqos_status_vals
[] = {
7657 { 0x00, "StorageQoSStatusOk" },
7658 { 0x01, "StorageQoSStatusInsufficientThroughput" },
7659 { 0x02, "StorageQoSUnknownPolicyId" },
7660 { 0x04, "StorageQoSStatusConfigurationMismatch" },
7661 { 0x05, "StorageQoSStatusNotAvailable" },
7666 dissect_smb2_FSCTL_STORAGE_QOS_CONTROL(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, bool data_in
)
7668 static int * const operations
[] = {
7669 &hf_smb2_ioctl_sqos_op_set_logical_flow_id
,
7670 &hf_smb2_ioctl_sqos_op_set_policy
,
7671 &hf_smb2_ioctl_sqos_op_probe_policy
,
7672 &hf_smb2_ioctl_sqos_op_get_status
,
7673 &hf_smb2_ioctl_sqos_op_update_counters
,
7679 /* Both request and reply have the same common header */
7681 proto_ver
= tvb_get_letohs(tvb
, offset
);
7682 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_protocol_version
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7685 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_reserved
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7688 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_ioctl_sqos_options
,
7689 ett_smb2_ioctl_sqos_opeations
, operations
, ENC_LITTLE_ENDIAN
);
7692 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_logical_flow_id
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
7695 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_policy_id
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
7698 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_initiator_id
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
7702 offset_length_buffer_t host_olb
, node_olb
;
7704 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_limit
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7707 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_reservation
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7710 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &host_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_ioctl_sqos_initiator_name
);
7712 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &node_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_ioctl_sqos_initiator_node_name
);
7714 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_io_count_increment
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7717 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_normalized_io_count_increment
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7720 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_latency_increment
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7723 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_lower_latency_increment
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7726 if (proto_ver
> 0x0100) {
7727 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_bandwidth_limit
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7730 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_kilobyte_count_increment
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7734 dissect_smb2_olb_string(pinfo
, tree
, tvb
, &host_olb
, OLB_TYPE_UNICODE_STRING
);
7736 dissect_smb2_olb_string(pinfo
, tree
, tvb
, &node_olb
, OLB_TYPE_UNICODE_STRING
);
7738 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_time_to_live
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7741 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_status
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7744 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_maximum_io_rate
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7747 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_minimum_io_rate
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7750 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_base_io_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7753 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_reserved2
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7755 if (proto_ver
> 0x0100) {
7757 proto_tree_add_item(tree
, hf_smb2_ioctl_sqos_maximum_bandwidth
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7763 dissect_windows_sockaddr_in(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, int len
)
7765 proto_item
*sub_item
;
7766 proto_tree
*sub_tree
;
7767 proto_item
*parent_item
;
7773 sub_tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, len
, ett_windows_sockaddr
, &sub_item
, "Socket Address");
7774 parent_item
= proto_tree_get_parent(parent_tree
);
7777 proto_tree_add_item(sub_tree
, hf_windows_sockaddr_family
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7781 proto_tree_add_item(sub_tree
, hf_windows_sockaddr_port
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7785 proto_tree_add_item(sub_tree
, hf_windows_sockaddr_in_addr
, tvb
, offset
, 4, ENC_BIG_ENDIAN
);
7786 proto_item_append_text(sub_item
, ", IPv4: %s", tvb_ip_to_str(pinfo
->pool
, tvb
, offset
));
7787 proto_item_append_text(parent_item
, ", IPv4: %s", tvb_ip_to_str(pinfo
->pool
, tvb
, offset
));
7793 dissect_windows_sockaddr_in6(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, int len
)
7795 proto_item
*sub_item
;
7796 proto_tree
*sub_tree
;
7797 proto_item
*parent_item
;
7803 sub_tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, len
, ett_windows_sockaddr
, &sub_item
, "Socket Address");
7804 parent_item
= proto_tree_get_parent(parent_tree
);
7807 proto_tree_add_item(sub_tree
, hf_windows_sockaddr_family
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7811 proto_tree_add_item(sub_tree
, hf_windows_sockaddr_port
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7815 proto_tree_add_item(sub_tree
, hf_windows_sockaddr_in6_flowinfo
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7819 proto_tree_add_item(sub_tree
, hf_windows_sockaddr_in6_addr
, tvb
, offset
, 16, ENC_NA
);
7820 proto_item_append_text(sub_item
, ", IPv6: %s", tvb_ip6_to_str(pinfo
->pool
, tvb
, offset
));
7821 proto_item_append_text(parent_item
, ", IPv6: %s", tvb_ip6_to_str(pinfo
->pool
, tvb
, offset
));
7825 proto_tree_add_item(sub_tree
, hf_windows_sockaddr_in6_scope_id
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7832 dissect_windows_sockaddr_storage(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, int offset
, int len
)
7834 proto_item
*sub_item
;
7835 proto_tree
*sub_tree
;
7836 proto_item
*parent_item
;
7839 family
= tvb_get_letohs(tvb
, offset
);
7841 case WINSOCK_AF_INET
:
7842 return dissect_windows_sockaddr_in(tvb
, pinfo
, parent_tree
, offset
, len
);
7843 case WINSOCK_AF_INET6
:
7844 return dissect_windows_sockaddr_in6(tvb
, pinfo
, parent_tree
, offset
, len
);
7847 sub_tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, len
, ett_windows_sockaddr
, &sub_item
, "Socket Address");
7848 parent_item
= proto_tree_get_parent(parent_tree
);
7851 proto_tree_add_item(sub_tree
, hf_windows_sockaddr_family
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7852 proto_item_append_text(sub_item
, ", Family: %d (0x%04x)", family
, family
);
7853 proto_item_append_text(parent_item
, ", Family: %d (0x%04x)", family
, family
);
7854 return offset
+ len
;
7857 #define NETWORK_INTERFACE_CAP_RSS 0x00000001
7858 #define NETWORK_INTERFACE_CAP_RDMA 0x00000002
7861 // NOLINTNEXTLINE(misc-no-recursion)
7862 dissect_smb2_NETWORK_INTERFACE_INFO(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
)
7864 uint32_t next_offset
;
7867 proto_item
*sub_item
;
7868 proto_tree
*sub_tree
;
7870 uint32_t capabilities
;
7871 uint64_t link_speed
;
7873 const char *unit
= NULL
;
7874 static int * const capability_flags
[] = {
7875 &hf_smb2_ioctl_network_interface_capability_rdma
,
7876 &hf_smb2_ioctl_network_interface_capability_rss
,
7880 next_offset
= tvb_get_letohl(tvb
, offset
);
7885 sub_tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, len
, ett_smb2_ioctl_network_interface
, &sub_item
, "Network Interface");
7886 item
= proto_tree_get_parent(parent_tree
);
7889 proto_tree_add_item(sub_tree
, hf_smb2_ioctl_network_interface_next_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7892 /* interface index */
7893 proto_tree_add_item(sub_tree
, hf_smb2_ioctl_network_interface_index
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7897 capabilities
= tvb_get_letohl(tvb
, offset
);
7898 proto_tree_add_bitmask(sub_tree
, tvb
, offset
, hf_smb2_ioctl_network_interface_capabilities
, ett_smb2_ioctl_network_interface_capabilities
, capability_flags
, ENC_LITTLE_ENDIAN
);
7900 if (capabilities
!= 0) {
7901 proto_item_append_text(item
, "%s%s",
7902 (capabilities
& NETWORK_INTERFACE_CAP_RDMA
)?", RDMA":"",
7903 (capabilities
& NETWORK_INTERFACE_CAP_RSS
)?", RSS":"");
7904 proto_item_append_text(sub_item
, "%s%s",
7905 (capabilities
& NETWORK_INTERFACE_CAP_RDMA
)?", RDMA":"",
7906 (capabilities
& NETWORK_INTERFACE_CAP_RSS
)?", RSS":"");
7910 /* reserved (was rss queue count for release 38 and 39) */
7911 proto_tree_add_item(sub_tree
, hf_smb2_ioctl_network_interface_reserved
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
7915 link_speed
= tvb_get_letoh64(tvb
, offset
);
7916 item
= proto_tree_add_item(sub_tree
, hf_smb2_ioctl_network_interface_link_speed
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
7917 if (link_speed
>= (1000*1000*1000)) {
7918 val
= (float)(link_speed
/ (1000*1000*1000));
7920 } else if (link_speed
>= (1000*1000)) {
7921 val
= (float)(link_speed
/ (1000*1000));
7923 } else if (link_speed
>= (1000)) {
7924 val
= (float)(link_speed
/ (1000));
7927 val
= (float)(link_speed
);
7930 proto_item_append_text(item
, ", %.1f %sBits/s", val
, unit
);
7931 proto_item_append_text(sub_item
, ", %.1f %sBits/s", val
, unit
);
7935 /* socket address */
7936 dissect_windows_sockaddr_storage(tvb
, pinfo
, sub_tree
, offset
, -1);
7940 next_tvb
= tvb_new_subset_remaining(tvb
, next_offset
);
7942 /* next extra info */
7943 increment_dissection_depth(pinfo
);
7944 dissect_smb2_NETWORK_INTERFACE_INFO(next_tvb
, pinfo
, parent_tree
);
7945 decrement_dissection_depth(pinfo
);
7950 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset _U_
, bool data_in
)
7952 /* There is no in data */
7957 dissect_smb2_NETWORK_INTERFACE_INFO(tvb
, pinfo
, tree
);
7961 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset _U_
, bool data_in
)
7964 * This is only used by Windows 8 beta
7968 offset
= dissect_smb2_capabilities(tree
, tvb
, offset
);
7971 proto_tree_add_item(tree
, hf_smb2_client_guid
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
7974 /* security mode, skip second byte */
7975 offset
= dissect_smb2_secmode(tree
, tvb
, offset
);
7979 proto_tree_add_item(tree
, hf_smb2_dialect
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
7983 offset
= dissect_smb2_capabilities(tree
, tvb
, offset
);
7986 proto_tree_add_item(tree
, hf_smb2_server_guid
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
7989 /* security mode, skip second byte */
7990 offset
= dissect_smb2_secmode(tree
, tvb
, offset
);
7994 proto_tree_add_item(tree
, hf_smb2_dialect
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
8000 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset _U_
, bool data_in
)
8006 offset
= dissect_smb2_capabilities(tree
, tvb
, offset
);
8009 proto_tree_add_item(tree
, hf_smb2_client_guid
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
8012 /* security mode, skip second byte */
8013 offset
= dissect_smb2_secmode(tree
, tvb
, offset
);
8017 dc
= tvb_get_letohs(tvb
, offset
);
8018 proto_tree_add_item(tree
, hf_smb2_dialect_count
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
8021 for ( ; dc
>0; dc
--) {
8022 proto_tree_add_item(tree
, hf_smb2_dialect
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
8027 offset
= dissect_smb2_capabilities(tree
, tvb
, offset
);
8030 proto_tree_add_item(tree
, hf_smb2_server_guid
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
8033 /* security mode, skip second byte */
8034 offset
= dissect_smb2_secmode(tree
, tvb
, offset
);
8038 proto_tree_add_item(tree
, hf_smb2_dialect
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
8044 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8046 uint32_t num_snapshots
;
8048 /* There is no in data */
8053 /* NumberOfSnapShots */
8054 proto_tree_add_item(tree
, hf_smb2_ioctl_enumerate_snapshots_num_snapshots
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8057 /* NumberOfSnapshotsReturned */
8058 proto_tree_add_item_ret_uint(tree
, hf_smb2_ioctl_enumerate_snapshots_num_snapshots_returned
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &num_snapshots
);
8061 /* SnapShotArraySize */
8062 proto_tree_add_item(tree
, hf_smb2_ioctl_enumerate_snapshots_snapshot_array_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8065 while (num_snapshots
--) {
8067 int old_offset
= offset
;
8069 proto_tree_add_item_ret_length(tree
, hf_smb2_ioctl_enumerate_snapshots_snapshot
,
8070 tvb
, offset
, -1, ENC_UTF_16
|ENC_LITTLE_ENDIAN
, &len
);
8072 offset
= old_offset
+len
;
8077 dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
)
8079 proto_item
*item
= NULL
;
8080 proto_tree
*tree
= NULL
;
8082 /* FILE_OBJECTID_BUFFER */
8084 item
= proto_tree_add_item(parent_tree
, hf_smb2_FILE_OBJECTID_BUFFER
, tvb
, offset
, 64, ENC_NA
);
8085 tree
= proto_item_add_subtree(item
, ett_smb2_FILE_OBJECTID_BUFFER
);
8089 proto_tree_add_item(tree
, hf_smb2_object_id
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
8092 /* Birth Volume ID */
8093 proto_tree_add_item(tree
, hf_smb2_birth_volume_id
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
8096 /* Birth Object ID */
8097 proto_tree_add_item(tree
, hf_smb2_birth_object_id
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
8101 proto_tree_add_item(tree
, hf_smb2_domain_id
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
8108 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8111 /* There is no in data */
8116 /* FILE_OBJECTID_BUFFER */
8117 offset
= dissect_smb2_FILE_OBJECTID_BUFFER(tvb
, pinfo
, tree
, offset
);
8123 dissect_smb2_FSCTL_GET_COMPRESSION(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8126 /* There is no in data */
8131 /* compression format */
8132 proto_tree_add_item(tree
, hf_smb2_compression_format
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
8139 dissect_smb2_FSCTL_SET_COMPRESSION(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8142 /* There is no out data */
8147 /* compression format */
8148 proto_tree_add_item(tree
, hf_smb2_compression_format
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
8155 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8157 static int * const integrity_flags
[] = {
8158 &hf_smb2_integrity_flags_enforcement_off
,
8162 /* There is no out data */
8167 proto_tree_add_item(tree
, hf_smb2_checksum_algorithm
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
8170 proto_tree_add_item(tree
, hf_smb2_integrity_reserved
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
8173 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_integrity_flags
, ett_smb2_integrity_flags
, integrity_flags
, ENC_LITTLE_ENDIAN
);
8180 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION_EX(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8182 static int * const integrity_flags
[] = {
8183 &hf_smb2_integrity_flags_enforcement_off
,
8191 proto_tree_add_item(tree
, hf_smb2_fsctl_infoex_enable_integrity
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
8194 proto_tree_add_item(tree
, hf_smb2_fsctl_infoex_keep_integrity_state
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
8197 proto_tree_add_item(tree
, hf_smb2_fsctl_infoex_reserved
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
8200 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_fsctl_infoex_flags
, ett_smb2_integrity_flags
, integrity_flags
, ENC_LITTLE_ENDIAN
);
8203 proto_tree_add_item(tree
, hf_smb2_fsctl_infoex_version
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
8206 proto_tree_add_item(tree
, hf_smb2_fsctl_infoex_reserved2
, tvb
, offset
, 7, ENC_LITTLE_ENDIAN
);
8213 dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT_Query_Delta(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
)
8215 proto_tree
*sub_tree
;
8217 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_fscc_refs_snapshot_query_delta_buffer
, NULL
, "Query Delta Buffer");
8219 proto_tree_add_item(sub_tree
, hf_smb2_fscc_refs_snapshot_query_delta_buffer_startvcn
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8222 proto_tree_add_item(sub_tree
, hf_smb2_fscc_refs_snapshot_query_delta_buffer_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8225 proto_tree_add_item(sub_tree
, hf_smb2_fscc_refs_snapshot_query_delta_buffer_reserved
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8232 dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, bool data_in
)
8236 uint32_t input_buffer_len
;
8238 /* There is no in data */
8243 proto_tree_add_item_ret_uint(tree
, hf_smb2_fscc_refs_snapshot_mgmt_operation
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &operation
);
8246 proto_tree_add_item_ret_uint(tree
, hf_smb2_fscc_refs_snapshot_mgmt_namelen
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &name_len
);
8249 proto_tree_add_item_ret_uint(tree
, hf_smb2_fscc_refs_snapshot_mgmt_input_buffer_len
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &input_buffer_len
);
8252 proto_tree_add_item(tree
, hf_smb2_fscc_refs_snapshot_mgmt_reserved
, tvb
, offset
, 16, ENC_NA
);
8256 proto_tree_add_item(tree
, hf_smb2_fscc_refs_snapshot_mgmt_name
, tvb
, offset
, name_len
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
);
8260 if (operation
== REFS_STREAM_SNAPSHOT_OPERATION_QUERY_DELTAS
) {
8261 offset
+= dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT_Query_Delta(tvb
, pinfo
, tree
, offset
);
8268 dissect_smb2_FSCTL_SET_OBJECT_ID(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8271 /* There is no out data */
8276 /* FILE_OBJECTID_BUFFER */
8277 offset
= dissect_smb2_FILE_OBJECTID_BUFFER(tvb
, pinfo
, tree
, offset
);
8283 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8286 /* There is no out data */
8291 /* FILE_OBJECTID_BUFFER->ExtendedInfo */
8293 /* Birth Volume ID */
8294 proto_tree_add_item(tree
, hf_smb2_birth_volume_id
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
8297 /* Birth Object ID */
8298 proto_tree_add_item(tree
, hf_smb2_birth_object_id
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
8302 proto_tree_add_item(tree
, hf_smb2_domain_id
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
8309 dissect_smb2_cchunk_RESUME_KEY(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
)
8312 proto_tree_add_bytes_format_value(tree
, hf_smb2_cchunk_resume_key
, tvb
,
8313 offset
, 24, NULL
, "Opaque Data");
8320 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8323 /* There is no in data */
8328 offset
= dissect_smb2_cchunk_RESUME_KEY(tvb
, pinfo
, tree
, offset
);
8330 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
8334 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8336 proto_tree
*sub_tree
;
8337 proto_item
*sub_item
;
8338 uint32_t chunk_count
= 0;
8340 /* Output is simpler - handle that first. */
8342 proto_tree_add_item(tree
, hf_smb2_cchunk_chunks_written
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8343 proto_tree_add_item(tree
, hf_smb2_cchunk_bytes_written
, tvb
, offset
+4, 4, ENC_LITTLE_ENDIAN
);
8344 proto_tree_add_item(tree
, hf_smb2_cchunk_total_written
, tvb
, offset
+8, 4, ENC_LITTLE_ENDIAN
);
8348 /* Input data, fixed part */
8349 offset
= dissect_smb2_cchunk_RESUME_KEY(tvb
, pinfo
, tree
, offset
);
8350 proto_tree_add_item_ret_uint(tree
, hf_smb2_cchunk_count
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &chunk_count
);
8353 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
8356 /* Zero or more allocated ranges may be reported. */
8357 while (chunk_count
&& tvb_reported_length_remaining(tvb
, offset
) >= 24) {
8358 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, 24, ett_smb2_cchunk_entry
, &sub_item
, "Chunk");
8360 proto_tree_add_item(sub_tree
, hf_smb2_cchunk_src_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8363 proto_tree_add_item(sub_tree
, hf_smb2_cchunk_dst_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8366 proto_tree_add_item(sub_tree
, hf_smb2_cchunk_xfer_len
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8369 proto_tree_add_item(sub_tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
8377 dissect_smb2_reparse_nfs(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, uint32_t length
)
8382 type
= tvb_get_letoh64(tvb
, offset
);
8383 proto_tree_add_item(tree
, hf_smb2_nfs_type
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8387 case NFS_SPECFILE_LNK
:
8389 * According to [MS-FSCC] 2.1.2.6 "length" contains
8390 * the 8-byte type plus the symlink target in Unicode
8391 * non-NULL terminated.
8394 THROW(ReportedBoundsError
);
8396 symlink_length
= length
- 8;
8397 proto_tree_add_item(tree
, hf_smb2_nfs_symlink_target
, tvb
, offset
,
8398 symlink_length
, ENC_UTF_16
|ENC_LITTLE_ENDIAN
);
8400 case NFS_SPECFILE_CHR
:
8401 proto_tree_add_item(tree
, hf_smb2_nfs_chr_major
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8403 proto_tree_add_item(tree
, hf_smb2_nfs_chr_minor
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8405 case NFS_SPECFILE_BLK
:
8406 proto_tree_add_item(tree
, hf_smb2_nfs_blk_major
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8408 proto_tree_add_item(tree
, hf_smb2_nfs_blk_minor
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8410 case NFS_SPECFILE_FIFO
:
8411 case NFS_SPECFILE_SOCK
:
8418 dissect_smb2_FSCTL_REPARSE_POINT(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
)
8420 proto_item
*item
= NULL
;
8421 proto_tree
*tree
= NULL
;
8425 offset_length_buffer_t s_olb
, p_olb
;
8427 /* REPARSE_DATA_BUFFER */
8429 item
= proto_tree_add_item(parent_tree
, hf_smb2_reparse_data_buffer
, tvb
, offset
, -1, ENC_NA
);
8430 tree
= proto_item_add_subtree(item
, ett_smb2_reparse_data_buffer
);
8434 tag
= tvb_get_letohl(tvb
, offset
);
8435 proto_tree_add_item(tree
, hf_smb2_reparse_tag
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8438 /* reparse data length */
8439 length
= tvb_get_letohs(tvb
, offset
);
8440 proto_tree_add_item(tree
, hf_smb2_reparse_data_length
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
8444 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
8447 if (!(tag
& 0x80000000)) {
8448 /* if high bit is not set, this buffer has a GUID field */
8450 proto_tree_add_item(tree
, hf_smb2_reparse_guid
, tvb
, offset
, 16, ENC_NA
);
8455 case REPARSE_TAG_SYMLINK
:
8456 /* substitute name offset/length */
8457 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &s_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_symlink_substitute_name
);
8459 /* print name offset/length */
8460 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &p_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_symlink_print_name
);
8463 proto_tree_add_item(tree
, hf_smb2_symlink_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8466 /* substitute name string */
8467 dissect_smb2_olb_off_string(pinfo
, tree
, tvb
, &s_olb
, offset
, OLB_TYPE_UNICODE_STRING
);
8469 /* print name string */
8470 dissect_smb2_olb_off_string(pinfo
, tree
, tvb
, &p_olb
, offset
, OLB_TYPE_UNICODE_STRING
);
8472 case REPARSE_TAG_NFS
:
8473 dissect_smb2_reparse_nfs(tvb
, pinfo
, tree
, offset
, length
);
8476 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, offset
, length
, ENC_NA
);
8481 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, bool data_in
)
8487 dissect_smb2_FSCTL_REPARSE_POINT(tvb
, pinfo
, parent_tree
, offset
);
8491 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, int offset
, bool data_in
)
8497 dissect_smb2_FSCTL_REPARSE_POINT(tvb
, pinfo
, parent_tree
, offset
);
8501 dissect_smb2_FSCTL_GET_NTFS_VOLUME_DATA(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, int offset
, bool data_in
)
8503 /* There is no in data */
8508 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_volume_serial
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8511 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_num_sectors
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8514 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_total_clusters
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8517 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_free_clusters
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8520 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_total_reserved
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8523 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_sector
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8526 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_cluster
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8529 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_file_record_segment
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8532 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_clusters_per_file_record_segment
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8535 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_mft_valid_data_length
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8538 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_mft_start_lcn
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8541 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_mft2_start_lcn
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8544 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_start
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8547 proto_tree_add_item(tree
, hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_end
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8551 dissect_smb2_ioctl_data(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, proto_tree
*top_tree
, uint32_t ioctl_function
, bool data_in
, void *private_data _U_
)
8555 dc
= tvb_reported_length(tvb
);
8557 switch (ioctl_function
) {
8558 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
8560 dissect_get_dfs_request_data(tvb
, pinfo
, tree
, 0, &dc
, true);
8562 dissect_get_dfs_referral_data(tvb
, pinfo
, tree
, 0, &dc
, true);
8565 case 0x000940CF: /* FSCTL_QUERY_ALLOCATED_RANGES */
8566 dissect_smb2_FSCTL_QUERY_ALLOCATED_RANGES(tvb
, pinfo
, tree
, 0, data_in
);
8568 case 0x00094264: /* FSCTL_OFFLOAD_READ */
8569 dissect_smb2_FSCTL_OFFLOAD_READ(tvb
, pinfo
, tree
, 0, data_in
);
8571 case 0x00098268: /* FSCTL_OFFLOAD_WRITE */
8572 dissect_smb2_FSCTL_OFFLOAD_WRITE(tvb
, pinfo
, tree
, 0, data_in
);
8574 case 0x0011c017: /* FSCTL_PIPE_TRANSCEIVE */
8575 dissect_smb2_FSCTL_PIPE_TRANSCEIVE(tvb
, pinfo
, tree
, 0, top_tree
, data_in
, private_data
);
8577 case 0x00110018: /* FSCTL_PIPE_WAIT */
8578 dissect_smb2_FSCTL_PIPE_WAIT(tvb
, pinfo
, tree
, 0, top_tree
, data_in
);
8580 case 0x00140078: /* FSCTL_SRV_REQUEST_RESUME_KEY */
8581 dissect_smb2_FSCTL_SRV_REQUEST_RESUME_KEY(tvb
, pinfo
, tree
, 0, data_in
);
8583 case 0x001401D4: /* FSCTL_LMR_REQUEST_RESILIENCY */
8584 dissect_smb2_FSCTL_LMR_REQUEST_RESILIENCY(tvb
, pinfo
, tree
, 0, data_in
);
8586 case 0x001401FC: /* FSCTL_QUERY_NETWORK_INTERFACE_INFO */
8587 dissect_smb2_FSCTL_QUERY_NETWORK_INTERFACE_INFO(tvb
, pinfo
, tree
, 0, data_in
);
8589 case 0x00140200: /* FSCTL_VALIDATE_NEGOTIATE_INFO_224 */
8590 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO_224(tvb
, pinfo
, tree
, 0, data_in
);
8592 case 0x00140204: /* FSCTL_VALIDATE_NEGOTIATE_INFO */
8593 dissect_smb2_FSCTL_VALIDATE_NEGOTIATE_INFO(tvb
, pinfo
, tree
, 0, data_in
);
8595 case 0x00144064: /* FSCTL_SRV_ENUMERATE_SNAPSHOTS */
8596 dissect_smb2_FSCTL_SRV_ENUMERATE_SNAPSHOTS(tvb
, pinfo
, tree
, 0, data_in
);
8598 case 0x001440F2: /* FSCTL_SRV_COPYCHUNK */
8599 case 0x001480F2: /* FSCTL_SRV_COPYCHUNK_WRITE */
8600 dissect_smb2_FSCTL_SRV_COPYCHUNK(tvb
, pinfo
, tree
, 0, data_in
);
8602 case 0x000900A4: /* FSCTL_SET_REPARSE_POINT */
8603 dissect_smb2_FSCTL_SET_REPARSE_POINT(tvb
, pinfo
, tree
, 0, data_in
);
8605 case 0x000900A8: /* FSCTL_GET_REPARSE_POINT */
8606 dissect_smb2_FSCTL_GET_REPARSE_POINT(tvb
, pinfo
, tree
, 0, data_in
);
8608 case 0x0009009C: /* FSCTL_GET_OBJECT_ID */
8609 case 0x000900c0: /* FSCTL_CREATE_OR_GET_OBJECT_ID */
8610 dissect_smb2_FSCTL_CREATE_OR_GET_OBJECT_ID(tvb
, pinfo
, tree
, 0, data_in
);
8612 case 0x000900c4: /* FSCTL_SET_SPARSE */
8613 dissect_smb2_FSCTL_SET_SPARSE(tvb
, pinfo
, tree
, 0, data_in
);
8615 case 0x00098098: /* FSCTL_SET_OBJECT_ID */
8616 dissect_smb2_FSCTL_SET_OBJECT_ID(tvb
, pinfo
, tree
, 0, data_in
);
8618 case 0x000980BC: /* FSCTL_SET_OBJECT_ID_EXTENDED */
8619 dissect_smb2_FSCTL_SET_OBJECT_ID_EXTENDED(tvb
, pinfo
, tree
, 0, data_in
);
8621 case 0x000980C8: /* FSCTL_SET_ZERO_DATA */
8622 dissect_smb2_FSCTL_SET_ZERO_DATA(tvb
, pinfo
, tree
, 0, data_in
);
8624 case 0x0009003C: /* FSCTL_GET_COMPRESSION */
8625 dissect_smb2_FSCTL_GET_COMPRESSION(tvb
, pinfo
, tree
, 0, data_in
);
8627 case 0x00090300: /* FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT */
8628 dissect_smb2_FSCTL_QUERY_SHARED_VIRTUAL_DISK_SUPPORT(tvb
, pinfo
, tree
, 0, data_in
);
8630 case 0x00090304: /* FSCTL_SVHDX_SYNC_TUNNEL or response */
8631 case 0x00090364: /* FSCTL_SVHDX_ASYNC_TUNNEL or response */
8632 call_dissector_with_data(rsvd_handle
, tvb
, pinfo
, top_tree
, &data_in
);
8634 case 0x00090350: /* FSCTL_STORAGE_QOS_CONTROL */
8635 dissect_smb2_FSCTL_STORAGE_QOS_CONTROL(tvb
, pinfo
, tree
, 0, data_in
);
8637 case 0x0009C040: /* FSCTL_SET_COMPRESSION */
8638 dissect_smb2_FSCTL_SET_COMPRESSION(tvb
, pinfo
, tree
, 0, data_in
);
8640 case 0x00090284: /* FSCTL_QUERY_FILE_REGIONS */
8641 dissect_smb2_FSCTL_QUERY_FILE_REGIONS(tvb
, pinfo
, tree
, 0, data_in
);
8643 case 0x0009C280: /* FSCTL_SET_INTEGRITY_INFORMATION request or response */
8644 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION(tvb
, pinfo
, tree
, 0, data_in
);
8646 case 0x00090064: /* FSCTL_GET_NTFS_VOLUME_DATA */
8647 dissect_smb2_FSCTL_GET_NTFS_VOLUME_DATA(tvb
, pinfo
, tree
, 0, data_in
);
8650 dissect_smb2_FSCTL_SET_INTEGRITY_INFORMATION_EX(tvb
, pinfo
, tree
, 0, data_in
);
8653 dissect_smb2_FSCTL_REFS_STREAM_SNAPSHOT_MANAGEMENT(tvb
, pinfo
, tree
, 0, data_in
);
8656 proto_tree_add_item(tree
, hf_smb2_unknown
, tvb
, 0, tvb_captured_length(tvb
), ENC_NA
);
8661 dissect_smb2_ioctl_data_in(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
)
8663 smb2_pipe_set_file_id(pinfo
, si
);
8664 dissect_smb2_ioctl_data(tvb
, pinfo
, tree
, si
->top_tree
, si
->ioctl_function
, true, si
);
8668 dissect_smb2_ioctl_data_out(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
)
8670 smb2_pipe_set_file_id(pinfo
, si
);
8671 dissect_smb2_ioctl_data(tvb
, pinfo
, tree
, si
->top_tree
, si
->ioctl_function
, false, si
);
8675 dissect_smb2_ioctl_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
8677 offset_length_buffer_t o_olb
;
8678 offset_length_buffer_t i_olb
;
8679 proto_tree
*flags_tree
= NULL
;
8680 proto_item
*flags_item
= NULL
;
8684 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
8687 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
8690 /* ioctl function */
8691 offset
= dissect_smb2_ioctl_function(tvb
, pinfo
, tree
, offset
, &si
->ioctl_function
);
8694 if (si
->saved
&& si
->saved
->fid_hash
) {
8695 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
8696 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
8697 proto_item_set_generated(item
);
8701 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
8703 /* in buffer offset/length */
8704 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &i_olb
, OLB_O_UINT32_S_UINT32
, hf_smb2_ioctl_in_data
);
8706 /* max ioctl in size */
8707 proto_tree_add_item(tree
, hf_smb2_max_ioctl_in_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8710 /* out buffer offset/length */
8711 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &o_olb
, OLB_O_UINT32_S_UINT32
, hf_smb2_ioctl_out_data
);
8713 /* max ioctl out size */
8714 proto_tree_add_item(tree
, hf_smb2_max_ioctl_out_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8719 flags_item
= proto_tree_add_item(tree
, hf_smb2_ioctl_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8720 flags_tree
= proto_item_add_subtree(flags_item
, ett_smb2_ioctl_flags
);
8722 proto_tree_add_item(flags_tree
, hf_smb2_ioctl_is_fsctl
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8726 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
8729 /* try to decode these blobs in the order they were encoded
8730 * so that for "short" packets we will dissect as much as possible
8731 * before aborting with "short packet"
8733 if (i_olb
.off
>o_olb
.off
) {
8735 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &o_olb
, si
, dissect_smb2_ioctl_data_out
);
8737 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &i_olb
, si
, dissect_smb2_ioctl_data_in
);
8740 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &i_olb
, si
, dissect_smb2_ioctl_data_in
);
8742 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &o_olb
, si
, dissect_smb2_ioctl_data_out
);
8745 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &o_olb
);
8746 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &i_olb
);
8752 dissect_smb2_ioctl_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
8754 offset_length_buffer_t o_olb
;
8755 offset_length_buffer_t i_olb
;
8756 bool continue_dissection
;
8759 switch (si
->status
) {
8761 /* if we get BUFFER_OVERFLOW there will be truncated data */
8763 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
8764 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
8765 if (!continue_dissection
) return offset
;
8769 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
8772 /* ioctl function */
8773 offset
= dissect_smb2_ioctl_function(tvb
, pinfo
, tree
, offset
, &si
->ioctl_function
);
8776 if (si
->saved
&& si
->saved
->fid_hash
) {
8777 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
8778 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
8779 proto_item_set_generated(item
);
8783 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
8785 /* in buffer offset/length */
8786 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &i_olb
, OLB_O_UINT32_S_UINT32
, hf_smb2_ioctl_in_data
);
8788 /* out buffer offset/length */
8789 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &o_olb
, OLB_O_UINT32_S_UINT32
, hf_smb2_ioctl_out_data
);
8792 /* flags: reserved: must be zero */
8793 proto_tree_add_item(tree
, hf_smb2_flags
, tvb
, offset
, 4, ENC_NA
);
8797 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
8800 /* try to decode these blobs in the order they were encoded
8801 * so that for "short" packets we will dissect as much as possible
8802 * before aborting with "short packet"
8804 if (i_olb
.off
>o_olb
.off
) {
8806 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &o_olb
, si
, dissect_smb2_ioctl_data_out
);
8808 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &i_olb
, si
, dissect_smb2_ioctl_data_in
);
8811 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &i_olb
, si
, dissect_smb2_ioctl_data_in
);
8813 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &o_olb
, si
, dissect_smb2_ioctl_data_out
);
8816 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &i_olb
);
8817 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &o_olb
);
8823 #define SMB2_READFLAG_READ_UNBUFFERED 0x01
8824 #define SMB2_READFLAG_READ_COMPRESSED 0x02
8826 static const true_false_string tfs_read_unbuffered
= {
8827 "Client is asking for UNBUFFERED read",
8828 "Client is NOT asking for UNBUFFERED read"
8831 static const true_false_string tfs_read_compressed
= {
8832 "Client is asking for COMPRESSED data",
8833 "Client is NOT asking for COMPRESSED data"
8837 dissect_smb2_read_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
8839 offset_length_buffer_t c_olb
;
8845 static int * const flags
[] = {
8846 &hf_smb2_read_flags_unbuffered
,
8847 &hf_smb2_read_flags_compressed
,
8852 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
8855 proto_tree_add_item(tree
, hf_smb2_read_padding
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
8859 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_read_flags
,
8860 ett_smb2_read_flags
, flags
, ENC_LITTLE_ENDIAN
);
8864 len
= tvb_get_letohl(tvb
, offset
);
8865 proto_tree_add_item(tree
, hf_smb2_read_length
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8869 off
= tvb_get_letoh64(tvb
, offset
);
8870 proto_tree_add_item(tree
, hf_smb2_file_offset
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
8873 col_append_fstr(pinfo
->cinfo
, COL_INFO
, " Len:%d Off:%" PRIu64
, len
, off
);
8876 if (si
->saved
&& si
->saved
->fid_hash
) {
8877 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
8878 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
8879 proto_item_set_generated(item
);
8883 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
8886 proto_tree_add_item(tree
, hf_smb2_min_count
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8890 channel
= tvb_get_letohl(tvb
, offset
);
8891 proto_tree_add_item(tree
, hf_smb2_channel
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8894 /* remaining bytes */
8895 proto_tree_add_item(tree
, hf_smb2_remaining_bytes
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8898 /* read channel info blob offset/length */
8899 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &c_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_channel_info_blob
);
8901 /* the read channel info blob itself */
8903 case SMB2_CHANNEL_RDMA_V1
:
8904 case SMB2_CHANNEL_RDMA_V1_INVALIDATE
:
8905 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &c_olb
, si
, dissect_smb2_rdma_v1_blob
);
8907 case SMB2_CHANNEL_NONE
:
8909 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &c_olb
, si
, NULL
);
8913 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &c_olb
);
8915 /* Store len and offset */
8917 si
->saved
->file_offset
=off
;
8918 si
->saved
->bytes_moved
=len
;
8925 dissect_smb2_read_blob(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
)
8928 int length
= tvb_captured_length_remaining(tvb
, offset
);
8930 smb2_pipe_set_file_id(pinfo
, si
);
8932 offset
= dissect_file_data_smb2_pipe(tvb
, pinfo
, tree
, offset
, length
, si
->top_tree
, si
);
8934 /* managed to dissect pipe data */
8939 proto_tree_add_item(tree
, hf_smb2_read_data
, tvb
, offset
, length
, ENC_NA
);
8943 dissect_smb2_read_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si _U_
)
8945 offset_length_buffer_t olb
;
8946 uint32_t data_tvb_len
;
8947 bool continue_dissection
;
8950 switch (si
->status
) {
8952 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
8953 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
8954 if (!continue_dissection
) return offset
;
8957 /* data offset 8 bit, 8 bit reserved, length 32bit */
8958 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &olb
,
8959 OLB_O_UINT8_P_UINT8_S_UINT32
,
8963 proto_tree_add_item(tree
, hf_smb2_read_remaining
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
8967 if (si
->saved
&& si
->saved
->fid_hash
) {
8968 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
8969 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
8970 proto_item_set_generated(item
);
8974 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
8977 data_tvb_len
=(uint32_t)tvb_captured_length_remaining(tvb
, offset
);
8979 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &olb
, si
, dissect_smb2_read_blob
);
8981 offset
+= MIN(olb
.len
, data_tvb_len
);
8983 if (have_tap_listener(smb2_eo_tap
) && (data_tvb_len
== olb
.len
)) {
8984 if (si
->saved
&& si
->eo_file_info
) { /* without this data we don't know which file this belongs to */
8985 feed_eo_smb2(tvb
,pinfo
,si
,olb
.off
,olb
.len
,si
->saved
->file_offset
);
8993 report_create_context_malformed_buffer(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, const char *buffer_desc
)
8995 proto_tree_add_expert_format(tree
, pinfo
, &ei_smb2_bad_response
, tvb
, 0, -1,
8996 "%s SHOULD NOT be generated", buffer_desc
);
8999 dissect_smb2_ExtA_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
)
9001 proto_item
*item
= NULL
;
9003 item
= proto_tree_get_parent(tree
);
9004 proto_item_append_text(item
, ": SMB2_FILE_FULL_EA_INFO");
9006 dissect_smb2_file_full_ea_info(tvb
, pinfo
, tree
, 0, si
);
9010 dissect_smb2_ExtA_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9012 report_create_context_malformed_buffer(tvb
, pinfo
, tree
, "ExtA Response");
9016 dissect_smb2_SecD_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
)
9018 proto_item
*item
= NULL
;
9020 item
= proto_tree_get_parent(tree
);
9021 proto_item_append_text(item
, ": SMB2_SEC_INFO_00");
9023 dissect_smb2_sec_info_00(tvb
, pinfo
, tree
, 0, si
);
9027 dissect_smb2_SecD_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9029 report_create_context_malformed_buffer(tvb
, pinfo
, tree
, "SecD Response");
9033 * Add the timestamp to the info column and to the name of the file if
9034 * we have not visited this packet before.
9037 add_timestamp_to_info_col(tvbuff_t
*tvb
, packet_info
*pinfo
, smb2_info_t
*si
,
9040 uint32_t filetime_high
, filetime_low
;
9044 filetime_low
= tvb_get_letohl(tvb
, offset
);
9045 filetime_high
= tvb_get_letohl(tvb
, offset
+ 4);
9047 ft
= ((uint64_t)filetime_high
<< 32) | filetime_low
;
9048 if (!filetime_to_nstime(&ts
, ft
)) {
9052 col_append_fstr(pinfo
->cinfo
, COL_INFO
, "@%s",
9053 abs_time_to_str(pinfo
->pool
, &ts
, ABSOLUTE_TIME_UTC
,
9056 /* Append the timestamp */
9057 if (!pinfo
->fd
->visited
) {
9058 if (si
->saved
&& si
->saved
->extra_info_type
== SMB2_EI_FILENAME
) {
9059 char *saved_name
= (char *)si
->saved
->extra_info
;
9061 si
->saved
->extra_info
= wmem_strdup_printf(wmem_file_scope(),
9062 "%s@%s", (char *)saved_name
,
9063 abs_time_to_str(pinfo
->pool
, &ts
,
9064 ABSOLUTE_TIME_UTC
, false));
9065 wmem_free(wmem_file_scope(), saved_name
);
9071 dissect_smb2_TWrp_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9073 proto_item
*item
= NULL
;
9075 item
= proto_tree_get_parent(tree
);
9076 proto_item_append_text(item
, ": Timestamp");
9078 add_timestamp_to_info_col(tvb
, pinfo
, si
, 0);
9079 dissect_nttime(tvb
, tree
, 0, hf_smb2_twrp_timestamp
, ENC_LITTLE_ENDIAN
);
9083 dissect_smb2_TWrp_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9085 report_create_context_malformed_buffer(tvb
, pinfo
, tree
, "TWrp Response");
9089 dissect_smb2_QFid_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9091 proto_item
*item
= NULL
;
9094 item
= proto_tree_get_parent(tree
);
9098 if (tvb_reported_length(tvb
) == 0) {
9099 proto_item_append_text(item
, ": NO DATA");
9101 proto_item_append_text(item
, ": QFid request should have no data, malformed packet");
9107 dissect_smb2_QFid_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9111 proto_item
*sub_tree
;
9113 item
= proto_tree_get_parent(tree
);
9115 proto_item_append_text(item
, ": QFid INFO");
9116 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_QFid_buffer
, NULL
, "QFid INFO");
9118 proto_tree_add_item(sub_tree
, hf_smb2_qfid_fid
, tvb
, offset
, 32, ENC_NA
);
9122 dissect_smb2_AlSi_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9124 proto_tree_add_item(tree
, hf_smb2_allocation_size
, tvb
, 0, 8, ENC_LITTLE_ENDIAN
);
9128 dissect_smb2_AlSi_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9130 report_create_context_malformed_buffer(tvb
, pinfo
, tree
, "AlSi Response");
9134 dissect_smb2_DHnQ_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
)
9136 dissect_smb2_fid(tvb
, pinfo
, tree
, 0, si
, FID_MODE_DHNQ
);
9140 dissect_smb2_DHnQ_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9142 proto_tree_add_item(tree
, hf_smb2_dhnq_buffer_reserved
, tvb
, 0, 8, ENC_LITTLE_ENDIAN
);
9146 dissect_smb2_DHnC_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
)
9148 dissect_smb2_fid(tvb
, pinfo
, tree
, 0, si
, FID_MODE_DHNC
);
9152 dissect_smb2_DHnC_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9154 report_create_context_malformed_buffer(tvb
, pinfo
, tree
, "DHnC Response");
9158 * SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
9164 * SMB2_CREATE_DURABLE_HANDLE_RESPONSE_V2
9168 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
9173 * SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2
9176 #define SMB2_DH2X_FLAGS_PERSISTENT_HANDLE 0x00000002
9179 dissect_smb2_DH2Q_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9181 static int * const dh2x_flags_fields
[] = {
9182 &hf_smb2_dh2x_buffer_flags_persistent_handle
,
9187 proto_item
*sub_tree
;
9189 item
= proto_tree_get_parent(tree
);
9191 proto_item_append_text(item
, ": DH2Q Request");
9192 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_DH2Q_buffer
, NULL
, "DH2Q Request");
9195 proto_tree_add_item(sub_tree
, hf_smb2_dh2x_buffer_timeout
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9199 proto_tree_add_bitmask(sub_tree
, tvb
, offset
, hf_smb2_dh2x_buffer_flags
,
9200 ett_smb2_dh2x_flags
, dh2x_flags_fields
, ENC_LITTLE_ENDIAN
);
9204 proto_tree_add_item(sub_tree
, hf_smb2_dh2x_buffer_reserved
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
9208 proto_tree_add_item(sub_tree
, hf_smb2_dh2x_buffer_create_guid
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
9212 dissect_smb2_DH2Q_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9216 proto_item
*sub_tree
;
9218 item
= proto_tree_get_parent(tree
);
9220 proto_item_append_text(item
, ": DH2Q Response");
9221 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_DH2Q_buffer
, NULL
, "DH2Q Response");
9224 proto_tree_add_item(sub_tree
, hf_smb2_dh2x_buffer_timeout
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9228 proto_tree_add_item(sub_tree
, hf_smb2_dh2x_buffer_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9232 dissect_smb2_DH2C_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
)
9236 proto_item
*sub_tree
;
9238 item
= proto_tree_get_parent(tree
);
9240 proto_item_append_text(item
, ": DH2C Request");
9241 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_DH2C_buffer
, NULL
, "DH2C Request");
9244 dissect_smb2_fid(tvb
, pinfo
, sub_tree
, offset
, si
, FID_MODE_DHNC
);
9248 proto_tree_add_item(sub_tree
, hf_smb2_dh2x_buffer_create_guid
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
9252 proto_tree_add_item(sub_tree
, hf_smb2_dh2x_buffer_flags
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9256 dissect_smb2_DH2C_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9258 report_create_context_malformed_buffer(tvb
, pinfo
, tree
, "DH2C Response");
9262 dissect_smb2_MxAc_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9265 proto_item
*item
= NULL
;
9268 item
= proto_tree_get_parent(tree
);
9271 if (tvb_reported_length(tvb
) == 0) {
9273 proto_item_append_text(item
, ": NO DATA");
9279 proto_item_append_text(item
, ": Timestamp");
9282 dissect_nttime(tvb
, tree
, offset
, hf_smb2_mxac_timestamp
, ENC_LITTLE_ENDIAN
);
9286 dissect_smb2_MxAc_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9290 proto_tree
*sub_tree
;
9292 item
= proto_tree_get_parent(tree
);
9294 if (tvb_reported_length(tvb
) == 0) {
9295 proto_item_append_text(item
, ": NO DATA");
9299 proto_item_append_text(item
, ": MxAc INFO");
9300 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_MxAc_buffer
, NULL
, "MxAc INFO");
9302 proto_tree_add_item(sub_tree
, hf_smb2_mxac_status
, tvb
, offset
, 4, ENC_BIG_ENDIAN
);
9305 dissect_smb_access_mask(tvb
, sub_tree
, offset
);
9309 * SMB2_CREATE_REQUEST_LEASE 32
9313 * 8 - lease duration
9315 * SMB2_CREATE_REQUEST_LEASE_V2 52
9319 * 8 - lease duration
9320 * 16 - parent lease key
9324 #define SMB2_LEASE_STATE_READ_CACHING 0x00000001
9325 #define SMB2_LEASE_STATE_HANDLE_CACHING 0x00000002
9326 #define SMB2_LEASE_STATE_WRITE_CACHING 0x00000004
9328 #define SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED 0x00000001
9329 #define SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS 0x00000002
9330 #define SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET 0x00000004
9332 static int * const lease_state_fields
[] = {
9333 &hf_smb2_lease_state_read_caching
,
9334 &hf_smb2_lease_state_handle_caching
,
9335 &hf_smb2_lease_state_write_caching
,
9338 static int * const lease_flags_fields
[] = {
9339 &hf_smb2_lease_flags_break_ack_required
,
9340 &hf_smb2_lease_flags_break_in_progress
,
9341 &hf_smb2_lease_flags_parent_lease_key_set
,
9346 dissect_SMB2_CREATE_LEASE_VX(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*parent_tree
, smb2_info_t
*si _U_
)
9350 proto_tree
*sub_tree
= NULL
;
9351 proto_item
*parent_item
;
9353 parent_item
= proto_tree_get_parent(parent_tree
);
9355 len
= tvb_reported_length(tvb
);
9358 case 32: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE */
9359 proto_item_append_text(parent_item
, ": LEASE_V1");
9360 sub_tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, -1, ett_smb2_RqLs_buffer
, NULL
, "LEASE_V1");
9362 case 52: /* SMB2_CREATE_REQUEST/RESPONSE_LEASE_V2 */
9363 proto_item_append_text(parent_item
, ": LEASE_V2");
9364 sub_tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, -1, ett_smb2_RqLs_buffer
, NULL
, "LEASE_V2");
9367 report_create_context_malformed_buffer(tvb
, pinfo
, parent_tree
, "RqLs");
9371 proto_tree_add_item(sub_tree
, hf_smb2_lease_key
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
9374 proto_tree_add_bitmask(sub_tree
, tvb
, offset
, hf_smb2_lease_state
,
9375 ett_smb2_lease_state
, lease_state_fields
, ENC_LITTLE_ENDIAN
);
9378 proto_tree_add_bitmask(sub_tree
, tvb
, offset
, hf_smb2_lease_flags
,
9379 ett_smb2_lease_flags
, lease_flags_fields
, ENC_LITTLE_ENDIAN
);
9382 proto_tree_add_item(sub_tree
, hf_smb2_lease_duration
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
9389 proto_tree_add_item(sub_tree
, hf_smb2_parent_lease_key
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
9392 proto_tree_add_item(sub_tree
, hf_smb2_lease_epoch
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
9395 proto_tree_add_item(sub_tree
, hf_smb2_lease_reserved
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
9399 dissect_smb2_RqLs_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9401 dissect_SMB2_CREATE_LEASE_VX(tvb
, pinfo
, tree
, si
);
9405 dissect_smb2_RqLs_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9407 dissect_SMB2_CREATE_LEASE_VX(tvb
, pinfo
, tree
, si
);
9411 * SMB2_CREATE_APP_INSTANCE_ID
9412 * 2 - structure size - 20
9414 * 16 - application guid
9418 dissect_smb2_APP_INSTANCE_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9422 proto_item
*sub_tree
;
9424 item
= proto_tree_get_parent(tree
);
9426 proto_item_append_text(item
, ": CREATE APP INSTANCE ID");
9427 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_APP_INSTANCE_buffer
, NULL
, "APP INSTANCE ID");
9430 proto_tree_add_item(sub_tree
, hf_smb2_APP_INSTANCE_buffer_struct_size
,
9431 tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
9435 proto_tree_add_item(sub_tree
, hf_smb2_APP_INSTANCE_buffer_reserved
,
9436 tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
9440 proto_tree_add_item(sub_tree
, hf_smb2_APP_INSTANCE_buffer_app_guid
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
9444 dissect_smb2_APP_INSTANCE_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9446 report_create_context_malformed_buffer(tvb
, pinfo
, tree
, "APP INSTANCE Response");
9450 * Dissect the MS-RSVD stuff that turns up when HyperV uses SMB3.x
9453 dissect_smb2_svhdx_open_device_context(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9458 proto_item
*sub_tree
;
9460 item
= proto_tree_get_parent(tree
);
9462 proto_item_append_text(item
, ": SVHDX OPEN DEVICE CONTEXT");
9463 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_svhdx_open_device_context
, NULL
, "SVHDX OPEN DEVICE CONTEXT");
9466 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_svhdx_open_device_context_version
,
9467 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &version
);
9470 /* HasInitiatorId */
9471 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_has_initiator_id
,
9472 tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
9476 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_reserved
,
9477 tvb
, offset
, 3, ENC_NA
);
9481 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_initiator_id
,
9482 tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
9485 /* Flags TODO: Dissect these*/
9486 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_flags
,
9487 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9490 /* OriginatorFlags */
9491 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_originator_flags
,
9492 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9496 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_open_request_id
,
9497 tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
9500 /* InitiatorHostNameLength */
9501 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_initiator_host_name_len
,
9502 tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
9505 /* InitiatorHostName */
9506 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_initiator_host_name
,
9507 tvb
, offset
, 126, ENC_ASCII
| ENC_NA
);
9511 /* VirtualDiskPropertiesInitialized */
9512 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized
,
9513 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9516 /* ServerServiceVersion */
9517 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_server_service_version
,
9518 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9521 /* VirtualSectorSize */
9522 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_virtual_sector_size
,
9523 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9526 /* PhysicalSectorSize */
9527 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_physical_sector_size
,
9528 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9532 proto_tree_add_item(sub_tree
, hf_smb2_svhdx_open_device_context_virtual_size
,
9533 tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
9538 * SMB2_CREATE_APP_INSTANCE_VERSION
9539 * 2 - structure size - 24
9542 * 8 - AppInstanceVersionHigh
9543 * 8 - AppInstanceVersionHigh
9547 dissect_smb2_app_instance_version_buffer_request(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9551 proto_item
*sub_tree
;
9552 proto_item
*version_sub_tree
;
9553 uint64_t version_high
;
9554 uint64_t version_low
;
9556 item
= proto_tree_get_parent(tree
);
9558 proto_item_append_text(item
, ": CREATE APP INSTANCE VERSION");
9559 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_app_instance_version_buffer
, NULL
, "APP INSTANCE VERSION");
9562 proto_tree_add_item(sub_tree
, hf_smb2_app_instance_version_struct_size
,
9563 tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
9567 proto_tree_add_item(sub_tree
, hf_smb2_app_instance_version_reserved
,
9568 tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
9572 proto_tree_add_item(sub_tree
, hf_smb2_app_instance_version_padding
,
9573 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9576 version_sub_tree
= proto_tree_add_subtree(sub_tree
, tvb
, offset
, -1, ett_smb2_app_instance_version_buffer_version
, NULL
, "version");
9579 proto_tree_add_item_ret_uint64(version_sub_tree
, hf_smb2_app_instance_version_high
,
9580 tvb
, offset
, 8, ENC_LITTLE_ENDIAN
, &version_high
);
9584 proto_tree_add_item_ret_uint64(version_sub_tree
, hf_smb2_app_instance_version_low
,
9585 tvb
, offset
, 8, ENC_LITTLE_ENDIAN
, &version_low
);
9587 proto_item_append_text(version_sub_tree
, " : %" PRIu64
".%" PRIu64
, version_high
, version_low
);
9588 proto_item_append_text(sub_tree
, ", version: %" PRIu64
".%" PRIu64
, version_high
, version_low
);
9592 dissect_smb2_app_instance_version_buffer_response(tvbuff_t
*tvb
, packet_info
*pinfo _U_
, proto_tree
*tree
, smb2_info_t
*si _U_
)
9594 report_create_context_malformed_buffer(tvb
, pinfo
, tree
, "APP INSTANCE Version Response");
9598 dissect_smb2_posix_buffer_request(tvbuff_t
*tvb _U_
, packet_info
*pinfo _U_
, proto_tree
*tree _U_
, smb2_info_t
*si _U_
)
9603 item
= proto_tree_get_parent(tree
);
9604 proto_item_append_text(item
, ": POSIX Create Context request");
9606 /* POSIX mode bits */
9607 proto_tree_add_item(tree
, hf_smb2_posix_perms
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9611 dissect_smb2_posix_buffer_response(tvbuff_t
*tvb _U_
, packet_info
*pinfo _U_
, proto_tree
*tree _U_
, smb2_info_t
*si _U_
)
9616 item
= proto_tree_get_parent(tree
);
9617 proto_item_append_text(item
, ": POSIX Create Context response");
9620 proto_tree_add_item(tree
, hf_smb2_nlinks
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9624 proto_tree_add_item(tree
, hf_smb2_reparse_tag
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9627 /* POSIX mode bits */
9628 proto_tree_add_item(tree
, hf_smb2_posix_perms
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9631 /* Owner and Group SID */
9632 offset
= dissect_nt_sid(tvb
, offset
, tree
, "Owner SID", NULL
, -1);
9633 dissect_nt_sid(tvb
, offset
, tree
, "Group SID", NULL
, -1);
9636 #define SMB2_AAPL_SERVER_QUERY 1
9637 #define SMB2_AAPL_RESOLVE_ID 2
9639 static const value_string aapl_command_code_vals
[] = {
9640 { SMB2_AAPL_SERVER_QUERY
, "Server query"},
9641 { SMB2_AAPL_RESOLVE_ID
, "Resolve ID"},
9645 #define SMB2_AAPL_SERVER_CAPS 0x00000001
9646 #define SMB2_AAPL_VOLUME_CAPS 0x00000002
9647 #define SMB2_AAPL_MODEL_INFO 0x00000004
9649 static int * const aapl_server_query_bitmap_fields
[] = {
9650 &hf_smb2_aapl_server_query_bitmask_server_caps
,
9651 &hf_smb2_aapl_server_query_bitmask_volume_caps
,
9652 &hf_smb2_aapl_server_query_bitmask_model_info
,
9656 #define SMB2_AAPL_SUPPORTS_READ_DIR_ATTR 0x00000001
9657 #define SMB2_AAPL_SUPPORTS_OSX_COPYFILE 0x00000002
9658 #define SMB2_AAPL_UNIX_BASED 0x00000004
9659 #define SMB2_AAPL_SUPPORTS_NFS_ACE 0x00000008
9661 static int * const aapl_server_query_caps_fields
[] = {
9662 &hf_smb2_aapl_server_query_caps_supports_read_dir_attr
,
9663 &hf_smb2_aapl_server_query_caps_supports_osx_copyfile
,
9664 &hf_smb2_aapl_server_query_caps_unix_based
,
9665 &hf_smb2_aapl_server_query_caps_supports_nfs_ace
,
9670 dissect_smb2_AAPL_buffer_request(tvbuff_t
*tvb _U_
, packet_info
*pinfo _U_
, proto_tree
*tree _U_
, smb2_info_t
*si _U_
)
9674 proto_item
*sub_tree
;
9675 uint32_t command_code
;
9677 item
= proto_tree_get_parent(tree
);
9679 proto_item_append_text(item
, ": AAPL Create Context request");
9680 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_aapl_create_context_request
, NULL
, "AAPL Create Context request");
9683 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_aapl_command_code
,
9684 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &command_code
);
9688 proto_tree_add_item(sub_tree
, hf_smb2_aapl_reserved
,
9689 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9692 switch (command_code
) {
9694 case SMB2_AAPL_SERVER_QUERY
:
9695 /* Request bitmap */
9696 proto_tree_add_bitmask(sub_tree
, tvb
, offset
,
9697 hf_smb2_aapl_server_query_bitmask
,
9698 ett_smb2_aapl_server_query_bitmask
,
9699 aapl_server_query_bitmap_fields
,
9703 /* Client capabilities */
9704 proto_tree_add_bitmask(sub_tree
, tvb
, offset
,
9705 hf_smb2_aapl_server_query_caps
,
9706 ett_smb2_aapl_server_query_caps
,
9707 aapl_server_query_caps_fields
,
9711 case SMB2_AAPL_RESOLVE_ID
:
9713 proto_tree_add_item(sub_tree
, hf_smb2_file_id
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
9721 #define SMB2_AAPL_SUPPORTS_RESOLVE_ID 0x00000001
9722 #define SMB2_AAPL_CASE_SENSITIVE 0x00000002
9723 #define SMB2_AAPL_SUPPORTS_FULL_SYNC 0x00000004
9725 static int * const aapl_server_query_volume_caps_fields
[] = {
9726 &hf_smb2_aapl_server_query_volume_caps_support_resolve_id
,
9727 &hf_smb2_aapl_server_query_volume_caps_case_sensitive
,
9728 &hf_smb2_aapl_server_query_volume_caps_supports_full_sync
,
9733 dissect_smb2_AAPL_buffer_response(tvbuff_t
*tvb _U_
, packet_info
*pinfo _U_
, proto_tree
*tree _U_
, smb2_info_t
*si _U_
)
9737 proto_item
*sub_tree
;
9738 uint32_t command_code
;
9739 uint64_t server_query_bitmask
;
9741 item
= proto_tree_get_parent(tree
);
9743 proto_item_append_text(item
, ": AAPL Create Context response");
9744 sub_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_aapl_create_context_response
, NULL
, "AAPL Create Context response");
9747 proto_tree_add_item_ret_uint(sub_tree
, hf_smb2_aapl_command_code
,
9748 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &command_code
);
9752 proto_tree_add_item(sub_tree
, hf_smb2_aapl_reserved
,
9753 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9756 switch (command_code
) {
9758 case SMB2_AAPL_SERVER_QUERY
:
9760 proto_tree_add_bitmask_ret_uint64(sub_tree
, tvb
, offset
,
9761 hf_smb2_aapl_server_query_bitmask
,
9762 ett_smb2_aapl_server_query_bitmask
,
9763 aapl_server_query_bitmap_fields
,
9765 &server_query_bitmask
);
9768 if (server_query_bitmask
& SMB2_AAPL_SERVER_CAPS
) {
9769 /* Server capabilities */
9770 proto_tree_add_bitmask(sub_tree
, tvb
, offset
,
9771 hf_smb2_aapl_server_query_caps
,
9772 ett_smb2_aapl_server_query_caps
,
9773 aapl_server_query_caps_fields
,
9777 if (server_query_bitmask
& SMB2_AAPL_VOLUME_CAPS
) {
9778 /* Volume capabilities */
9779 proto_tree_add_bitmask(sub_tree
, tvb
, offset
,
9780 hf_smb2_aapl_server_query_volume_caps
,
9781 ett_smb2_aapl_server_query_volume_caps
,
9782 aapl_server_query_volume_caps_fields
,
9786 if (server_query_bitmask
& SMB2_AAPL_MODEL_INFO
) {
9791 proto_tree_add_item(sub_tree
, hf_smb2_aapl_server_query_model_string
,
9793 ENC_UTF_16
|ENC_LITTLE_ENDIAN
);
9797 case SMB2_AAPL_RESOLVE_ID
:
9799 proto_tree_add_item(sub_tree
, hf_smb2_nt_status
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9803 proto_tree_add_item(sub_tree
, hf_smb2_aapl_server_query_server_path
,
9805 ENC_UTF_16
|ENC_LITTLE_ENDIAN
);
9813 typedef void (*create_context_data_dissector_t
)(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, smb2_info_t
*si
);
9815 typedef struct create_context_data_dissectors
{
9816 create_context_data_dissector_t request
;
9817 create_context_data_dissector_t response
;
9818 } create_context_data_dissectors_t
;
9820 struct create_context_data_tag_dissectors
{
9823 create_context_data_dissectors_t dissectors
;
9826 static struct create_context_data_tag_dissectors create_context_dissectors_array
[] = {
9827 { "ExtA", "SMB2_CREATE_EA_BUFFER",
9828 { dissect_smb2_ExtA_buffer_request
, dissect_smb2_ExtA_buffer_response
} },
9829 { "SecD", "SMB2_CREATE_SD_BUFFER",
9830 { dissect_smb2_SecD_buffer_request
, dissect_smb2_SecD_buffer_response
} },
9831 { "AlSi", "SMB2_CREATE_ALLOCATION_SIZE",
9832 { dissect_smb2_AlSi_buffer_request
, dissect_smb2_AlSi_buffer_response
} },
9833 { "MxAc", "SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST",
9834 { dissect_smb2_MxAc_buffer_request
, dissect_smb2_MxAc_buffer_response
} },
9835 { "DHnQ", "SMB2_CREATE_DURABLE_HANDLE_REQUEST",
9836 { dissect_smb2_DHnQ_buffer_request
, dissect_smb2_DHnQ_buffer_response
} },
9837 { "DHnC", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT",
9838 { dissect_smb2_DHnC_buffer_request
, dissect_smb2_DHnC_buffer_response
} },
9839 { "DH2Q", "SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2",
9840 { dissect_smb2_DH2Q_buffer_request
, dissect_smb2_DH2Q_buffer_response
} },
9841 { "DH2C", "SMB2_CREATE_DURABLE_HANDLE_RECONNECT_V2",
9842 { dissect_smb2_DH2C_buffer_request
, dissect_smb2_DH2C_buffer_response
} },
9843 { "TWrp", "SMB2_CREATE_TIMEWARP_TOKEN",
9844 { dissect_smb2_TWrp_buffer_request
, dissect_smb2_TWrp_buffer_response
} },
9845 { "QFid", "SMB2_CREATE_QUERY_ON_DISK_ID",
9846 { dissect_smb2_QFid_buffer_request
, dissect_smb2_QFid_buffer_response
} },
9847 { "RqLs", "SMB2_CREATE_REQUEST_LEASE",
9848 { dissect_smb2_RqLs_buffer_request
, dissect_smb2_RqLs_buffer_response
} },
9849 { "744D142E-46FA-0890-4AF7-A7EF6AA6BC45", "SMB2_CREATE_APP_INSTANCE_ID",
9850 { dissect_smb2_APP_INSTANCE_buffer_request
, dissect_smb2_APP_INSTANCE_buffer_response
} },
9851 { "6aa6bc45-a7ef-4af7-9008-fa462e144d74", "SMB2_CREATE_APP_INSTANCE_ID",
9852 { dissect_smb2_APP_INSTANCE_buffer_request
, dissect_smb2_APP_INSTANCE_buffer_response
} },
9853 { "9ecfcb9c-c104-43e6-980e-158da1f6ec83", "SVHDX_OPEN_DEVICE_CONTEXT",
9854 { dissect_smb2_svhdx_open_device_context
, dissect_smb2_svhdx_open_device_context
} },
9855 { "b7d082b9-563b-4f07-a07b-524a8116a010", "SMB2_CREATE_APP_INSTANCE_VERSION",
9856 { dissect_smb2_app_instance_version_buffer_request
, dissect_smb2_app_instance_version_buffer_response
} },
9857 { "5025ad93-b49c-e711-b423-83de968bcd7c", "SMB2_POSIX_CREATE_CONTEXT",
9858 { dissect_smb2_posix_buffer_request
, dissect_smb2_posix_buffer_response
} },
9859 { "AAPL", "SMB2_AAPL_CREATE_CONTEXT",
9860 { dissect_smb2_AAPL_buffer_request
, dissect_smb2_AAPL_buffer_response
} },
9863 static struct create_context_data_tag_dissectors
*
9864 get_create_context_data_tag_dissectors(const char *tag
)
9866 static struct create_context_data_tag_dissectors INVALID
= {
9867 NULL
, "<invalid>", { NULL
, NULL
}
9872 for (i
= 0; i
<array_length(create_context_dissectors_array
); i
++) {
9873 if (!strcmp(tag
, create_context_dissectors_array
[i
].tag
))
9874 return &create_context_dissectors_array
[i
];
9880 // NOLINTNEXTLINE(misc-no-recursion)
9881 dissect_smb2_create_extra_info(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, smb2_info_t
*si
)
9883 offset_length_buffer_t tag_olb
;
9884 offset_length_buffer_t data_olb
;
9886 uint16_t chain_offset
;
9889 proto_item
*sub_item
;
9890 proto_tree
*sub_tree
;
9891 proto_item
*parent_item
= NULL
;
9892 create_context_data_dissectors_t
*dissectors
= NULL
;
9893 create_context_data_dissector_t dissector
= NULL
;
9894 struct create_context_data_tag_dissectors
*tag_dissectors
;
9896 chain_offset
= tvb_get_letohl(tvb
, offset
);
9901 sub_tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, len
, ett_smb2_create_chain_element
, &sub_item
, "Chain Element");
9902 parent_item
= proto_tree_get_parent(parent_tree
);
9905 proto_tree_add_item(sub_tree
, hf_smb2_create_chain_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9908 /* tag offset/length */
9909 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &tag_olb
, OLB_O_UINT16_S_UINT32
, hf_smb2_tag
);
9911 /* data offset/length */
9912 dissect_smb2_olb_length_offset(tvb
, offset
, &data_olb
, OLB_O_UINT16_S_UINT32
, hf_smb2_create_chain_data
);
9915 * These things are all either 4-char strings, like DH2C, or GUIDs,
9916 * however, at least one of them appears to be a GUID as a string and
9917 * one appears to be a binary guid. So, check if the length is
9918 * 16, and if so, pull the GUID and convert it to a string. Otherwise
9919 * call dissect_smb2_olb_string.
9921 if (tag_olb
.len
== 16) {
9923 proto_item
*tag_item
;
9924 proto_tree
*tag_tree
;
9926 tvb_get_letohguid(tvb
, tag_olb
.off
, &tag_guid
);
9927 tag
= guid_to_str(pinfo
->pool
, &tag_guid
);
9929 tag_item
= proto_tree_add_string(sub_tree
, tag_olb
.hfindex
, tvb
, tag_olb
.off
, tag_olb
.len
, tag
);
9930 tag_tree
= proto_item_add_subtree(tag_item
, ett_smb2_olb
);
9931 proto_tree_add_item(tag_tree
, hf_smb2_olb_offset
, tvb
, tag_olb
.off_offset
, 2, ENC_LITTLE_ENDIAN
);
9932 proto_tree_add_item(tag_tree
, hf_smb2_olb_length
, tvb
, tag_olb
.len_offset
, 2, ENC_LITTLE_ENDIAN
);
9936 tag
= dissect_smb2_olb_string(pinfo
, sub_tree
, tvb
, &tag_olb
, OLB_TYPE_ASCII_STRING
);
9939 tag_dissectors
= get_create_context_data_tag_dissectors(tag
);
9941 proto_item_append_text(parent_item
, " %s", tag_dissectors
->val
);
9942 proto_item_append_text(sub_item
, ": %s \"%s\"", tag_dissectors
->val
, tag
);
9945 dissectors
= &tag_dissectors
->dissectors
;
9947 dissector
= (si
->flags
& SMB2_FLAGS_RESPONSE
) ? dissectors
->response
: dissectors
->request
;
9949 dissect_smb2_olb_buffer(pinfo
, sub_tree
, tvb
, &data_olb
, si
, dissector
);
9952 tvbuff_t
*chain_tvb
;
9953 chain_tvb
= tvb_new_subset_remaining(tvb
, chain_offset
);
9955 /* next extra info */
9956 increment_dissection_depth(pinfo
);
9957 dissect_smb2_create_extra_info(chain_tvb
, pinfo
, parent_tree
, si
);
9958 decrement_dissection_depth(pinfo
);
9963 dissect_smb2_create_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
9965 offset_length_buffer_t f_olb
, e_olb
;
9966 const uint8_t *fname
;
9970 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
9972 /* security flags */
9976 offset
= dissect_smb2_oplock(tree
, tvb
, offset
);
9978 /* impersonation level */
9979 proto_tree_add_item(tree
, hf_smb2_impersonation_level
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
9983 proto_tree_add_item(tree
, hf_smb2_create_flags
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
9987 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 8, ENC_NA
);
9991 offset
= dissect_smb_access_mask(tvb
, tree
, offset
);
9993 /* File Attributes */
9994 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, NULL
);
9997 offset
= dissect_nt_share_access(tvb
, tree
, offset
);
9999 /* create disposition */
10000 proto_tree_add_item(tree
, hf_smb2_create_disposition
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
10003 /* create options */
10004 offset
= dissect_nt_create_options(tvb
, tree
, offset
);
10007 if (si
->saved
&& si
->saved
->fid_hash
) {
10008 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
10009 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
10010 proto_item_set_generated(item
);
10013 /* filename offset/length */
10014 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &f_olb
, OLB_O_UINT16_S_UINT16
, hf_smb2_filename
);
10016 /* extrainfo offset */
10017 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &e_olb
, OLB_O_UINT32_S_UINT32
, hf_smb2_extrainfo
);
10019 /* filename string */
10020 fname
= dissect_smb2_olb_string(pinfo
, tree
, tvb
, &f_olb
, OLB_TYPE_UNICODE_STRING
);
10021 col_append_fstr(pinfo
->cinfo
, COL_INFO
, " File: %s",
10022 format_text(pinfo
->pool
, fname
, strlen(fname
)));
10024 /* save the name if it looks sane */
10025 if (!pinfo
->fd
->visited
) {
10026 if (si
->saved
&& si
->saved
->extra_info_type
== SMB2_EI_FILENAME
) {
10027 wmem_free(wmem_file_scope(), si
->saved
->extra_info
);
10028 si
->saved
->extra_info
= NULL
;
10029 si
->saved
->extra_info_type
= SMB2_EI_NONE
;
10031 if (si
->saved
&& f_olb
.len
< 1024) {
10032 si
->saved
->extra_info_type
= SMB2_EI_FILENAME
;
10033 si
->saved
->extra_info
= wmem_strdup(wmem_file_scope(), fname
);
10037 /* If extrainfo_offset is non-null then this points to another
10038 * buffer. The offset is relative to the start of the smb packet
10040 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &e_olb
, si
, dissect_smb2_create_extra_info
);
10042 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &f_olb
);
10043 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &e_olb
);
10048 #define SMB2_CREATE_REP_FLAGS_REPARSE_POINT 0x01
10051 dissect_smb2_create_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
10053 uint64_t end_of_file
;
10054 uint32_t attr_mask
;
10055 offset_length_buffer_t e_olb
;
10056 static int * const create_rep_flags_fields
[] = {
10057 &hf_smb2_create_rep_flags_reparse_point
,
10060 bool continue_dissection
;
10063 switch (si
->status
) {
10065 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
10066 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
10067 if (!continue_dissection
) return offset
;
10071 offset
= dissect_smb2_oplock(tree
, tvb
, offset
);
10074 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_create_rep_flags
,
10075 ett_smb2_create_rep_flags
, create_rep_flags_fields
, ENC_LITTLE_ENDIAN
);
10078 /* create action */
10079 proto_tree_add_item(tree
, hf_smb2_create_action
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
10083 dissect_nttime(tvb
, tree
, offset
, hf_smb2_create_timestamp
, ENC_LITTLE_ENDIAN
);
10087 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_access_timestamp
, ENC_LITTLE_ENDIAN
);
10091 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_write_timestamp
, ENC_LITTLE_ENDIAN
);
10095 dissect_nttime(tvb
, tree
, offset
, hf_smb2_last_change_timestamp
, ENC_LITTLE_ENDIAN
);
10098 /* allocation size */
10099 proto_tree_add_item(tree
, hf_smb2_allocation_size
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
10103 end_of_file
= tvb_get_letoh64(tvb
, offset
);
10104 if (si
->eo_file_info
) {
10105 si
->eo_file_info
->end_of_file
= tvb_get_letoh64(tvb
, offset
);
10107 proto_tree_add_item(tree
, hf_smb2_end_of_file
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
10110 /* File Attributes */
10111 offset
= dissect_fscc_file_attr(tvb
, tree
, offset
, &attr_mask
);
10114 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
10118 if (si
->saved
&& si
->saved
->fid_hash
) {
10119 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
10120 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
10121 proto_item_set_generated(item
);
10125 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_OPEN
);
10127 /* We save this after dissect_smb2_fid just because it would be
10128 possible to have this response without having the mathing request.
10129 In that case the entry in the file info hash table has been created
10130 in dissect_smb2_fid */
10131 if (si
->eo_file_info
) {
10132 si
->eo_file_info
->end_of_file
= end_of_file
;
10133 si
->eo_file_info
->attr_mask
= attr_mask
;
10136 /* extrainfo offset */
10137 offset
= dissect_smb2_olb_length_offset(tvb
, offset
, &e_olb
, OLB_O_UINT32_S_UINT32
, hf_smb2_extrainfo
);
10139 /* If extrainfo_offset is non-null then this points to another
10140 * buffer. The offset is relative to the start of the smb packet
10142 dissect_smb2_olb_buffer(pinfo
, tree
, tvb
, &e_olb
, si
, dissect_smb2_create_extra_info
);
10144 offset
= dissect_smb2_olb_tvb_max_offset(offset
, &e_olb
);
10146 /* free si->saved->extra_info we don't need it any more */
10147 if (si
->saved
&& si
->saved
->extra_info_type
== SMB2_EI_FILENAME
) {
10148 wmem_free(wmem_file_scope(), si
->saved
->extra_info
);
10149 si
->saved
->extra_info
= NULL
;
10150 si
->saved
->extra_info_type
= SMB2_EI_NONE
;
10158 dissect_smb2_setinfo_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
10160 uint32_t setinfo_size
;
10161 uint16_t setinfo_offset
;
10165 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
10167 /* class and info level */
10168 offset
= dissect_smb2_class_infolevel(pinfo
, tvb
, offset
, tree
, si
);
10171 setinfo_size
= tvb_get_letohl(tvb
, offset
);
10172 proto_tree_add_item(tree
, hf_smb2_setinfo_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
10176 setinfo_offset
= tvb_get_letohs(tvb
, offset
);
10177 proto_tree_add_item(tree
, hf_smb2_setinfo_offset
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
10181 proto_tree_add_item(tree
, hf_smb2_setinfo_reserved
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
10184 if (si
->saved
&& si
->saved
->smb2_class
== SMB2_CLASS_SEC_INFO
) {
10185 /* AdditionalInformation (4 bytes): Provides additional information to the server.
10186 If security information is being set, this value MUST contain a 4-byte bit field
10187 of flags indicating what security attributes MUST be applied. */
10188 offset
= dissect_additional_information_sec_mask(tvb
, tree
, offset
);
10190 /* For all other set requests, this field MUST be 0. */
10191 proto_tree_add_item(tree
, hf_smb2_getsetinfo_additional
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
10196 if (si
->saved
&& si
->saved
->fid_hash
) {
10197 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
10198 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
10199 proto_item_set_generated(item
);
10203 dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
10207 dissect_smb2_infolevel(tvb
, pinfo
, tree
, setinfo_offset
, si
, si
->saved
->smb2_class
, si
->saved
->infolevel
);
10208 offset
= setinfo_offset
+ setinfo_size
;
10214 dissect_smb2_setinfo_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
10216 bool continue_dissection
;
10219 /* class/infolevel */
10220 dissect_smb2_class_infolevel(pinfo
, tvb
, offset
, tree
, si
);
10223 if (si
->saved
&& si
->saved
->fid_hash
) {
10224 item
= proto_tree_add_uint_format(tree
, hf_smb2_file_id_hash
, tvb
, 0, 0,
10225 si
->saved
->fid_hash
, "File Id Hash: 0x%04x", si
->saved
->fid_hash
);
10226 proto_item_set_generated(item
);
10230 switch (si
->status
) {
10231 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
10232 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
10233 if (!continue_dissection
) return offset
;
10240 dissect_smb2_break_request(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
10242 uint16_t buffer_code
;
10245 buffer_code
= tvb_get_letohs(tvb
, offset
);
10246 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
10248 if (buffer_code
== OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE
) {
10252 offset
= dissect_smb2_oplock(tree
, tvb
, offset
);
10255 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 1, ENC_NA
);
10259 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
10263 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
10268 if (buffer_code
== OPLOCK_BREAK_LEASE_ACKNOWLEDGMENT_STRUCTURE_SIZE
) {
10269 /* Lease Break Acknowledgment */
10272 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
10276 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_lease_flags
,
10277 ett_smb2_lease_flags
, lease_flags_fields
, ENC_LITTLE_ENDIAN
);
10281 proto_tree_add_item(tree
, hf_smb2_lease_key
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
10285 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_lease_state
,
10286 ett_smb2_lease_state
, lease_state_fields
, ENC_LITTLE_ENDIAN
);
10289 proto_tree_add_item(tree
, hf_smb2_lease_duration
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
10299 dissect_smb2_break_response(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
10301 uint16_t buffer_code
;
10302 bool continue_dissection
;
10305 buffer_code
= tvb_get_letohs(tvb
, offset
);
10306 switch (si
->status
) {
10307 case 0x00000000: offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
); break;
10308 default: offset
= dissect_smb2_error_response(tvb
, pinfo
, tree
, offset
, si
, &continue_dissection
);
10309 if (!continue_dissection
) return offset
;
10312 if (buffer_code
== OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE
) {
10313 /* OPLOCK Break Notification */
10316 offset
= dissect_smb2_oplock(tree
, tvb
, offset
);
10319 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 1, ENC_NA
);
10323 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
10327 offset
= dissect_smb2_fid(tvb
, pinfo
, tree
, offset
, si
, FID_MODE_USE
);
10329 /* in break requests from server to client here're 24 byte zero bytes
10330 * which are likely a bug in windows (they may use 2* 24 bytes instead of just
10336 if (buffer_code
== OPLOCK_BREAK_LEASE_NOTIFICATION_STRUCTURE_SIZE
) {
10339 /* Lease Break Notification */
10341 /* new lease epoch */
10342 proto_tree_add_item(tree
, hf_smb2_lease_epoch
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
10346 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_lease_flags
,
10347 ett_smb2_lease_flags
, lease_flags_fields
, ENC_LITTLE_ENDIAN
);
10351 proto_tree_add_item(tree
, hf_smb2_lease_key
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
10354 /* current lease state */
10355 item
= proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_lease_state
,
10356 ett_smb2_lease_state
, lease_state_fields
, ENC_LITTLE_ENDIAN
);
10358 proto_item_prepend_text(item
, "Current ");
10362 /* new lease state */
10363 item
= proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_lease_state
,
10364 ett_smb2_lease_state
, lease_state_fields
, ENC_LITTLE_ENDIAN
);
10366 proto_item_prepend_text(item
, "New ");
10370 /* break reason - reserved */
10371 proto_tree_add_item(tree
, hf_smb2_lease_break_reason
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
10374 /* access mask hint - reserved */
10375 proto_tree_add_item(tree
, hf_smb2_lease_access_mask_hint
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
10378 /* share mask hint - reserved */
10379 proto_tree_add_item(tree
, hf_smb2_lease_share_mask_hint
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
10385 if (buffer_code
== OPLOCK_BREAK_LEASE_RESPONSE_STRUCTURE_SIZE
) {
10386 /* Lease Break Response */
10389 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
10393 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_lease_flags
,
10394 ett_smb2_lease_flags
, lease_flags_fields
, ENC_LITTLE_ENDIAN
);
10398 proto_tree_add_item(tree
, hf_smb2_lease_key
, tvb
, offset
, 16, ENC_LITTLE_ENDIAN
);
10402 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_lease_state
,
10403 ett_smb2_lease_state
, lease_state_fields
, ENC_LITTLE_ENDIAN
);
10406 proto_tree_add_item(tree
, hf_smb2_lease_duration
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
10416 dissect_smb2_notify_session_closed(tvbuff_t
*tvb
, proto_tree
*parent_tree
, packet_info
*pinfo _U_
, int offset
, smb2_info_t
*si _U_
)
10418 proto_tree
*sub_tree
;
10420 sub_tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, -1, ett_smb2_server_notification
, NULL
, "Notification");
10423 proto_tree_add_item(sub_tree
, hf_smb2_reserved
, tvb
, offset
, 4, ENC_NA
);
10430 dissect_smb2_server_to_client_notification(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
)
10432 uint32_t notification_type
;
10434 offset
= dissect_smb2_buffercode(tree
, tvb
, offset
, NULL
);
10437 proto_tree_add_item(tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
10440 /* notification type */
10441 proto_tree_add_item_ret_uint(tree
, hf_smb2_notification_type
, tvb
, offset
, 4, ENC_NA
, ¬ification_type
);
10444 switch(notification_type
) {
10445 case NOTIFY_SESSION_CLOSED
:
10447 offset
= dissect_smb2_notify_session_closed(tvb
, tree
, pinfo
, offset
, si
);
10454 /* names here are just until we find better names for these functions */
10455 static const value_string smb2_cmd_vals
[] = {
10456 { 0x00, "Negotiate Protocol" },
10457 { 0x01, "Session Setup" },
10458 { 0x02, "Session Logoff" },
10459 { 0x03, "Tree Connect" },
10460 { 0x04, "Tree Disconnect" },
10461 { 0x05, "Create" },
10468 { 0x0C, "Cancel" },
10469 { 0x0D, "KeepAlive" },
10471 { 0x0F, "Notify" },
10472 { 0x10, "GetInfo" },
10473 { 0x11, "SetInfo" },
10475 { 0x13, "Server notification" },
10476 { 0x14, "unknown-0x14" },
10477 { 0x15, "unknown-0x15" },
10478 { 0x16, "unknown-0x16" },
10479 { 0x17, "unknown-0x17" },
10480 { 0x18, "unknown-0x18" },
10481 { 0x19, "unknown-0x19" },
10482 { 0x1A, "unknown-0x1A" },
10483 { 0x1B, "unknown-0x1B" },
10484 { 0x1C, "unknown-0x1C" },
10485 { 0x1D, "unknown-0x1D" },
10486 { 0x1E, "unknown-0x1E" },
10487 { 0x1F, "unknown-0x1F" },
10488 { 0x20, "unknown-0x20" },
10489 { 0x21, "unknown-0x21" },
10490 { 0x22, "unknown-0x22" },
10491 { 0x23, "unknown-0x23" },
10492 { 0x24, "unknown-0x24" },
10493 { 0x25, "unknown-0x25" },
10494 { 0x26, "unknown-0x26" },
10495 { 0x27, "unknown-0x27" },
10496 { 0x28, "unknown-0x28" },
10497 { 0x29, "unknown-0x29" },
10498 { 0x2A, "unknown-0x2A" },
10499 { 0x2B, "unknown-0x2B" },
10500 { 0x2C, "unknown-0x2C" },
10501 { 0x2D, "unknown-0x2D" },
10502 { 0x2E, "unknown-0x2E" },
10503 { 0x2F, "unknown-0x2F" },
10504 { 0x30, "unknown-0x30" },
10505 { 0x31, "unknown-0x31" },
10506 { 0x32, "unknown-0x32" },
10507 { 0x33, "unknown-0x33" },
10508 { 0x34, "unknown-0x34" },
10509 { 0x35, "unknown-0x35" },
10510 { 0x36, "unknown-0x36" },
10511 { 0x37, "unknown-0x37" },
10512 { 0x38, "unknown-0x38" },
10513 { 0x39, "unknown-0x39" },
10514 { 0x3A, "unknown-0x3A" },
10515 { 0x3B, "unknown-0x3B" },
10516 { 0x3C, "unknown-0x3C" },
10517 { 0x3D, "unknown-0x3D" },
10518 { 0x3E, "unknown-0x3E" },
10519 { 0x3F, "unknown-0x3F" },
10520 { 0x40, "unknown-0x40" },
10521 { 0x41, "unknown-0x41" },
10522 { 0x42, "unknown-0x42" },
10523 { 0x43, "unknown-0x43" },
10524 { 0x44, "unknown-0x44" },
10525 { 0x45, "unknown-0x45" },
10526 { 0x46, "unknown-0x46" },
10527 { 0x47, "unknown-0x47" },
10528 { 0x48, "unknown-0x48" },
10529 { 0x49, "unknown-0x49" },
10530 { 0x4A, "unknown-0x4A" },
10531 { 0x4B, "unknown-0x4B" },
10532 { 0x4C, "unknown-0x4C" },
10533 { 0x4D, "unknown-0x4D" },
10534 { 0x4E, "unknown-0x4E" },
10535 { 0x4F, "unknown-0x4F" },
10536 { 0x50, "unknown-0x50" },
10537 { 0x51, "unknown-0x51" },
10538 { 0x52, "unknown-0x52" },
10539 { 0x53, "unknown-0x53" },
10540 { 0x54, "unknown-0x54" },
10541 { 0x55, "unknown-0x55" },
10542 { 0x56, "unknown-0x56" },
10543 { 0x57, "unknown-0x57" },
10544 { 0x58, "unknown-0x58" },
10545 { 0x59, "unknown-0x59" },
10546 { 0x5A, "unknown-0x5A" },
10547 { 0x5B, "unknown-0x5B" },
10548 { 0x5C, "unknown-0x5C" },
10549 { 0x5D, "unknown-0x5D" },
10550 { 0x5E, "unknown-0x5E" },
10551 { 0x5F, "unknown-0x5F" },
10552 { 0x60, "unknown-0x60" },
10553 { 0x61, "unknown-0x61" },
10554 { 0x62, "unknown-0x62" },
10555 { 0x63, "unknown-0x63" },
10556 { 0x64, "unknown-0x64" },
10557 { 0x65, "unknown-0x65" },
10558 { 0x66, "unknown-0x66" },
10559 { 0x67, "unknown-0x67" },
10560 { 0x68, "unknown-0x68" },
10561 { 0x69, "unknown-0x69" },
10562 { 0x6A, "unknown-0x6A" },
10563 { 0x6B, "unknown-0x6B" },
10564 { 0x6C, "unknown-0x6C" },
10565 { 0x6D, "unknown-0x6D" },
10566 { 0x6E, "unknown-0x6E" },
10567 { 0x6F, "unknown-0x6F" },
10568 { 0x70, "unknown-0x70" },
10569 { 0x71, "unknown-0x71" },
10570 { 0x72, "unknown-0x72" },
10571 { 0x73, "unknown-0x73" },
10572 { 0x74, "unknown-0x74" },
10573 { 0x75, "unknown-0x75" },
10574 { 0x76, "unknown-0x76" },
10575 { 0x77, "unknown-0x77" },
10576 { 0x78, "unknown-0x78" },
10577 { 0x79, "unknown-0x79" },
10578 { 0x7A, "unknown-0x7A" },
10579 { 0x7B, "unknown-0x7B" },
10580 { 0x7C, "unknown-0x7C" },
10581 { 0x7D, "unknown-0x7D" },
10582 { 0x7E, "unknown-0x7E" },
10583 { 0x7F, "unknown-0x7F" },
10584 { 0x80, "unknown-0x80" },
10585 { 0x81, "unknown-0x81" },
10586 { 0x82, "unknown-0x82" },
10587 { 0x83, "unknown-0x83" },
10588 { 0x84, "unknown-0x84" },
10589 { 0x85, "unknown-0x85" },
10590 { 0x86, "unknown-0x86" },
10591 { 0x87, "unknown-0x87" },
10592 { 0x88, "unknown-0x88" },
10593 { 0x89, "unknown-0x89" },
10594 { 0x8A, "unknown-0x8A" },
10595 { 0x8B, "unknown-0x8B" },
10596 { 0x8C, "unknown-0x8C" },
10597 { 0x8D, "unknown-0x8D" },
10598 { 0x8E, "unknown-0x8E" },
10599 { 0x8F, "unknown-0x8F" },
10600 { 0x90, "unknown-0x90" },
10601 { 0x91, "unknown-0x91" },
10602 { 0x92, "unknown-0x92" },
10603 { 0x93, "unknown-0x93" },
10604 { 0x94, "unknown-0x94" },
10605 { 0x95, "unknown-0x95" },
10606 { 0x96, "unknown-0x96" },
10607 { 0x97, "unknown-0x97" },
10608 { 0x98, "unknown-0x98" },
10609 { 0x99, "unknown-0x99" },
10610 { 0x9A, "unknown-0x9A" },
10611 { 0x9B, "unknown-0x9B" },
10612 { 0x9C, "unknown-0x9C" },
10613 { 0x9D, "unknown-0x9D" },
10614 { 0x9E, "unknown-0x9E" },
10615 { 0x9F, "unknown-0x9F" },
10616 { 0xA0, "unknown-0xA0" },
10617 { 0xA1, "unknown-0xA1" },
10618 { 0xA2, "unknown-0xA2" },
10619 { 0xA3, "unknown-0xA3" },
10620 { 0xA4, "unknown-0xA4" },
10621 { 0xA5, "unknown-0xA5" },
10622 { 0xA6, "unknown-0xA6" },
10623 { 0xA7, "unknown-0xA7" },
10624 { 0xA8, "unknown-0xA8" },
10625 { 0xA9, "unknown-0xA9" },
10626 { 0xAA, "unknown-0xAA" },
10627 { 0xAB, "unknown-0xAB" },
10628 { 0xAC, "unknown-0xAC" },
10629 { 0xAD, "unknown-0xAD" },
10630 { 0xAE, "unknown-0xAE" },
10631 { 0xAF, "unknown-0xAF" },
10632 { 0xB0, "unknown-0xB0" },
10633 { 0xB1, "unknown-0xB1" },
10634 { 0xB2, "unknown-0xB2" },
10635 { 0xB3, "unknown-0xB3" },
10636 { 0xB4, "unknown-0xB4" },
10637 { 0xB5, "unknown-0xB5" },
10638 { 0xB6, "unknown-0xB6" },
10639 { 0xB7, "unknown-0xB7" },
10640 { 0xB8, "unknown-0xB8" },
10641 { 0xB9, "unknown-0xB9" },
10642 { 0xBA, "unknown-0xBA" },
10643 { 0xBB, "unknown-0xBB" },
10644 { 0xBC, "unknown-0xBC" },
10645 { 0xBD, "unknown-0xBD" },
10646 { 0xBE, "unknown-0xBE" },
10647 { 0xBF, "unknown-0xBF" },
10648 { 0xC0, "unknown-0xC0" },
10649 { 0xC1, "unknown-0xC1" },
10650 { 0xC2, "unknown-0xC2" },
10651 { 0xC3, "unknown-0xC3" },
10652 { 0xC4, "unknown-0xC4" },
10653 { 0xC5, "unknown-0xC5" },
10654 { 0xC6, "unknown-0xC6" },
10655 { 0xC7, "unknown-0xC7" },
10656 { 0xC8, "unknown-0xC8" },
10657 { 0xC9, "unknown-0xC9" },
10658 { 0xCA, "unknown-0xCA" },
10659 { 0xCB, "unknown-0xCB" },
10660 { 0xCC, "unknown-0xCC" },
10661 { 0xCD, "unknown-0xCD" },
10662 { 0xCE, "unknown-0xCE" },
10663 { 0xCF, "unknown-0xCF" },
10664 { 0xD0, "unknown-0xD0" },
10665 { 0xD1, "unknown-0xD1" },
10666 { 0xD2, "unknown-0xD2" },
10667 { 0xD3, "unknown-0xD3" },
10668 { 0xD4, "unknown-0xD4" },
10669 { 0xD5, "unknown-0xD5" },
10670 { 0xD6, "unknown-0xD6" },
10671 { 0xD7, "unknown-0xD7" },
10672 { 0xD8, "unknown-0xD8" },
10673 { 0xD9, "unknown-0xD9" },
10674 { 0xDA, "unknown-0xDA" },
10675 { 0xDB, "unknown-0xDB" },
10676 { 0xDC, "unknown-0xDC" },
10677 { 0xDD, "unknown-0xDD" },
10678 { 0xDE, "unknown-0xDE" },
10679 { 0xDF, "unknown-0xDF" },
10680 { 0xE0, "unknown-0xE0" },
10681 { 0xE1, "unknown-0xE1" },
10682 { 0xE2, "unknown-0xE2" },
10683 { 0xE3, "unknown-0xE3" },
10684 { 0xE4, "unknown-0xE4" },
10685 { 0xE5, "unknown-0xE5" },
10686 { 0xE6, "unknown-0xE6" },
10687 { 0xE7, "unknown-0xE7" },
10688 { 0xE8, "unknown-0xE8" },
10689 { 0xE9, "unknown-0xE9" },
10690 { 0xEA, "unknown-0xEA" },
10691 { 0xEB, "unknown-0xEB" },
10692 { 0xEC, "unknown-0xEC" },
10693 { 0xED, "unknown-0xED" },
10694 { 0xEE, "unknown-0xEE" },
10695 { 0xEF, "unknown-0xEF" },
10696 { 0xF0, "unknown-0xF0" },
10697 { 0xF1, "unknown-0xF1" },
10698 { 0xF2, "unknown-0xF2" },
10699 { 0xF3, "unknown-0xF3" },
10700 { 0xF4, "unknown-0xF4" },
10701 { 0xF5, "unknown-0xF5" },
10702 { 0xF6, "unknown-0xF6" },
10703 { 0xF7, "unknown-0xF7" },
10704 { 0xF8, "unknown-0xF8" },
10705 { 0xF9, "unknown-0xF9" },
10706 { 0xFA, "unknown-0xFA" },
10707 { 0xFB, "unknown-0xFB" },
10708 { 0xFC, "unknown-0xFC" },
10709 { 0xFD, "unknown-0xFD" },
10710 { 0xFE, "unknown-0xFE" },
10711 { 0xFF, "unknown-0xFF" },
10714 value_string_ext smb2_cmd_vals_ext
= VALUE_STRING_EXT_INIT(smb2_cmd_vals
);
10716 static const char *decode_smb2_name(uint16_t cmd
)
10718 if (cmd
> 0xFF) return "unknown";
10719 return smb2_cmd_vals
[cmd
& 0xFF].strptr
;
10722 static const smb2_function smb2_dissector
[256] = {
10723 /* 0x00 NegotiateProtocol*/
10724 {dissect_smb2_negotiate_protocol_request
,
10725 dissect_smb2_negotiate_protocol_response
},
10726 /* 0x01 SessionSetup*/
10727 {dissect_smb2_session_setup_request
,
10728 dissect_smb2_session_setup_response
},
10729 /* 0x02 SessionLogoff*/
10730 {dissect_smb2_sessionlogoff_request
,
10731 dissect_smb2_sessionlogoff_response
},
10732 /* 0x03 TreeConnect*/
10733 {dissect_smb2_tree_connect_request
,
10734 dissect_smb2_tree_connect_response
},
10735 /* 0x04 TreeDisconnect*/
10736 {dissect_smb2_tree_disconnect_request
,
10737 dissect_smb2_tree_disconnect_response
},
10739 {dissect_smb2_create_request
,
10740 dissect_smb2_create_response
},
10742 {dissect_smb2_close_request
,
10743 dissect_smb2_close_response
},
10745 {dissect_smb2_flush_request
,
10746 dissect_smb2_flush_response
},
10748 {dissect_smb2_read_request
,
10749 dissect_smb2_read_response
},
10751 {dissect_smb2_write_request
,
10752 dissect_smb2_write_response
},
10754 {dissect_smb2_lock_request
,
10755 dissect_smb2_lock_response
},
10757 {dissect_smb2_ioctl_request
,
10758 dissect_smb2_ioctl_response
},
10760 {dissect_smb2_cancel_request
,
10762 /* 0x0d KeepAlive*/
10763 {dissect_smb2_keepalive_request
,
10764 dissect_smb2_keepalive_response
},
10766 {dissect_smb2_find_request
,
10767 dissect_smb2_find_response
},
10769 {dissect_smb2_notify_request
,
10770 dissect_smb2_notify_response
},
10772 {dissect_smb2_getinfo_request
,
10773 dissect_smb2_getinfo_response
},
10775 {dissect_smb2_setinfo_request
,
10776 dissect_smb2_setinfo_response
},
10778 {dissect_smb2_break_request
,
10779 dissect_smb2_break_response
},
10780 /* 0x13 Server to client notification */
10782 dissect_smb2_server_to_client_notification
},
10783 /* 0x14 */ {NULL
, NULL
},
10784 /* 0x15 */ {NULL
, NULL
},
10785 /* 0x16 */ {NULL
, NULL
},
10786 /* 0x17 */ {NULL
, NULL
},
10787 /* 0x18 */ {NULL
, NULL
},
10788 /* 0x19 */ {NULL
, NULL
},
10789 /* 0x1a */ {NULL
, NULL
},
10790 /* 0x1b */ {NULL
, NULL
},
10791 /* 0x1c */ {NULL
, NULL
},
10792 /* 0x1d */ {NULL
, NULL
},
10793 /* 0x1e */ {NULL
, NULL
},
10794 /* 0x1f */ {NULL
, NULL
},
10795 /* 0x20 */ {NULL
, NULL
},
10796 /* 0x21 */ {NULL
, NULL
},
10797 /* 0x22 */ {NULL
, NULL
},
10798 /* 0x23 */ {NULL
, NULL
},
10799 /* 0x24 */ {NULL
, NULL
},
10800 /* 0x25 */ {NULL
, NULL
},
10801 /* 0x26 */ {NULL
, NULL
},
10802 /* 0x27 */ {NULL
, NULL
},
10803 /* 0x28 */ {NULL
, NULL
},
10804 /* 0x29 */ {NULL
, NULL
},
10805 /* 0x2a */ {NULL
, NULL
},
10806 /* 0x2b */ {NULL
, NULL
},
10807 /* 0x2c */ {NULL
, NULL
},
10808 /* 0x2d */ {NULL
, NULL
},
10809 /* 0x2e */ {NULL
, NULL
},
10810 /* 0x2f */ {NULL
, NULL
},
10811 /* 0x30 */ {NULL
, NULL
},
10812 /* 0x31 */ {NULL
, NULL
},
10813 /* 0x32 */ {NULL
, NULL
},
10814 /* 0x33 */ {NULL
, NULL
},
10815 /* 0x34 */ {NULL
, NULL
},
10816 /* 0x35 */ {NULL
, NULL
},
10817 /* 0x36 */ {NULL
, NULL
},
10818 /* 0x37 */ {NULL
, NULL
},
10819 /* 0x38 */ {NULL
, NULL
},
10820 /* 0x39 */ {NULL
, NULL
},
10821 /* 0x3a */ {NULL
, NULL
},
10822 /* 0x3b */ {NULL
, NULL
},
10823 /* 0x3c */ {NULL
, NULL
},
10824 /* 0x3d */ {NULL
, NULL
},
10825 /* 0x3e */ {NULL
, NULL
},
10826 /* 0x3f */ {NULL
, NULL
},
10827 /* 0x40 */ {NULL
, NULL
},
10828 /* 0x41 */ {NULL
, NULL
},
10829 /* 0x42 */ {NULL
, NULL
},
10830 /* 0x43 */ {NULL
, NULL
},
10831 /* 0x44 */ {NULL
, NULL
},
10832 /* 0x45 */ {NULL
, NULL
},
10833 /* 0x46 */ {NULL
, NULL
},
10834 /* 0x47 */ {NULL
, NULL
},
10835 /* 0x48 */ {NULL
, NULL
},
10836 /* 0x49 */ {NULL
, NULL
},
10837 /* 0x4a */ {NULL
, NULL
},
10838 /* 0x4b */ {NULL
, NULL
},
10839 /* 0x4c */ {NULL
, NULL
},
10840 /* 0x4d */ {NULL
, NULL
},
10841 /* 0x4e */ {NULL
, NULL
},
10842 /* 0x4f */ {NULL
, NULL
},
10843 /* 0x50 */ {NULL
, NULL
},
10844 /* 0x51 */ {NULL
, NULL
},
10845 /* 0x52 */ {NULL
, NULL
},
10846 /* 0x53 */ {NULL
, NULL
},
10847 /* 0x54 */ {NULL
, NULL
},
10848 /* 0x55 */ {NULL
, NULL
},
10849 /* 0x56 */ {NULL
, NULL
},
10850 /* 0x57 */ {NULL
, NULL
},
10851 /* 0x58 */ {NULL
, NULL
},
10852 /* 0x59 */ {NULL
, NULL
},
10853 /* 0x5a */ {NULL
, NULL
},
10854 /* 0x5b */ {NULL
, NULL
},
10855 /* 0x5c */ {NULL
, NULL
},
10856 /* 0x5d */ {NULL
, NULL
},
10857 /* 0x5e */ {NULL
, NULL
},
10858 /* 0x5f */ {NULL
, NULL
},
10859 /* 0x60 */ {NULL
, NULL
},
10860 /* 0x61 */ {NULL
, NULL
},
10861 /* 0x62 */ {NULL
, NULL
},
10862 /* 0x63 */ {NULL
, NULL
},
10863 /* 0x64 */ {NULL
, NULL
},
10864 /* 0x65 */ {NULL
, NULL
},
10865 /* 0x66 */ {NULL
, NULL
},
10866 /* 0x67 */ {NULL
, NULL
},
10867 /* 0x68 */ {NULL
, NULL
},
10868 /* 0x69 */ {NULL
, NULL
},
10869 /* 0x6a */ {NULL
, NULL
},
10870 /* 0x6b */ {NULL
, NULL
},
10871 /* 0x6c */ {NULL
, NULL
},
10872 /* 0x6d */ {NULL
, NULL
},
10873 /* 0x6e */ {NULL
, NULL
},
10874 /* 0x6f */ {NULL
, NULL
},
10875 /* 0x70 */ {NULL
, NULL
},
10876 /* 0x71 */ {NULL
, NULL
},
10877 /* 0x72 */ {NULL
, NULL
},
10878 /* 0x73 */ {NULL
, NULL
},
10879 /* 0x74 */ {NULL
, NULL
},
10880 /* 0x75 */ {NULL
, NULL
},
10881 /* 0x76 */ {NULL
, NULL
},
10882 /* 0x77 */ {NULL
, NULL
},
10883 /* 0x78 */ {NULL
, NULL
},
10884 /* 0x79 */ {NULL
, NULL
},
10885 /* 0x7a */ {NULL
, NULL
},
10886 /* 0x7b */ {NULL
, NULL
},
10887 /* 0x7c */ {NULL
, NULL
},
10888 /* 0x7d */ {NULL
, NULL
},
10889 /* 0x7e */ {NULL
, NULL
},
10890 /* 0x7f */ {NULL
, NULL
},
10891 /* 0x80 */ {NULL
, NULL
},
10892 /* 0x81 */ {NULL
, NULL
},
10893 /* 0x82 */ {NULL
, NULL
},
10894 /* 0x83 */ {NULL
, NULL
},
10895 /* 0x84 */ {NULL
, NULL
},
10896 /* 0x85 */ {NULL
, NULL
},
10897 /* 0x86 */ {NULL
, NULL
},
10898 /* 0x87 */ {NULL
, NULL
},
10899 /* 0x88 */ {NULL
, NULL
},
10900 /* 0x89 */ {NULL
, NULL
},
10901 /* 0x8a */ {NULL
, NULL
},
10902 /* 0x8b */ {NULL
, NULL
},
10903 /* 0x8c */ {NULL
, NULL
},
10904 /* 0x8d */ {NULL
, NULL
},
10905 /* 0x8e */ {NULL
, NULL
},
10906 /* 0x8f */ {NULL
, NULL
},
10907 /* 0x90 */ {NULL
, NULL
},
10908 /* 0x91 */ {NULL
, NULL
},
10909 /* 0x92 */ {NULL
, NULL
},
10910 /* 0x93 */ {NULL
, NULL
},
10911 /* 0x94 */ {NULL
, NULL
},
10912 /* 0x95 */ {NULL
, NULL
},
10913 /* 0x96 */ {NULL
, NULL
},
10914 /* 0x97 */ {NULL
, NULL
},
10915 /* 0x98 */ {NULL
, NULL
},
10916 /* 0x99 */ {NULL
, NULL
},
10917 /* 0x9a */ {NULL
, NULL
},
10918 /* 0x9b */ {NULL
, NULL
},
10919 /* 0x9c */ {NULL
, NULL
},
10920 /* 0x9d */ {NULL
, NULL
},
10921 /* 0x9e */ {NULL
, NULL
},
10922 /* 0x9f */ {NULL
, NULL
},
10923 /* 0xa0 */ {NULL
, NULL
},
10924 /* 0xa1 */ {NULL
, NULL
},
10925 /* 0xa2 */ {NULL
, NULL
},
10926 /* 0xa3 */ {NULL
, NULL
},
10927 /* 0xa4 */ {NULL
, NULL
},
10928 /* 0xa5 */ {NULL
, NULL
},
10929 /* 0xa6 */ {NULL
, NULL
},
10930 /* 0xa7 */ {NULL
, NULL
},
10931 /* 0xa8 */ {NULL
, NULL
},
10932 /* 0xa9 */ {NULL
, NULL
},
10933 /* 0xaa */ {NULL
, NULL
},
10934 /* 0xab */ {NULL
, NULL
},
10935 /* 0xac */ {NULL
, NULL
},
10936 /* 0xad */ {NULL
, NULL
},
10937 /* 0xae */ {NULL
, NULL
},
10938 /* 0xaf */ {NULL
, NULL
},
10939 /* 0xb0 */ {NULL
, NULL
},
10940 /* 0xb1 */ {NULL
, NULL
},
10941 /* 0xb2 */ {NULL
, NULL
},
10942 /* 0xb3 */ {NULL
, NULL
},
10943 /* 0xb4 */ {NULL
, NULL
},
10944 /* 0xb5 */ {NULL
, NULL
},
10945 /* 0xb6 */ {NULL
, NULL
},
10946 /* 0xb7 */ {NULL
, NULL
},
10947 /* 0xb8 */ {NULL
, NULL
},
10948 /* 0xb9 */ {NULL
, NULL
},
10949 /* 0xba */ {NULL
, NULL
},
10950 /* 0xbb */ {NULL
, NULL
},
10951 /* 0xbc */ {NULL
, NULL
},
10952 /* 0xbd */ {NULL
, NULL
},
10953 /* 0xbe */ {NULL
, NULL
},
10954 /* 0xbf */ {NULL
, NULL
},
10955 /* 0xc0 */ {NULL
, NULL
},
10956 /* 0xc1 */ {NULL
, NULL
},
10957 /* 0xc2 */ {NULL
, NULL
},
10958 /* 0xc3 */ {NULL
, NULL
},
10959 /* 0xc4 */ {NULL
, NULL
},
10960 /* 0xc5 */ {NULL
, NULL
},
10961 /* 0xc6 */ {NULL
, NULL
},
10962 /* 0xc7 */ {NULL
, NULL
},
10963 /* 0xc8 */ {NULL
, NULL
},
10964 /* 0xc9 */ {NULL
, NULL
},
10965 /* 0xca */ {NULL
, NULL
},
10966 /* 0xcb */ {NULL
, NULL
},
10967 /* 0xcc */ {NULL
, NULL
},
10968 /* 0xcd */ {NULL
, NULL
},
10969 /* 0xce */ {NULL
, NULL
},
10970 /* 0xcf */ {NULL
, NULL
},
10971 /* 0xd0 */ {NULL
, NULL
},
10972 /* 0xd1 */ {NULL
, NULL
},
10973 /* 0xd2 */ {NULL
, NULL
},
10974 /* 0xd3 */ {NULL
, NULL
},
10975 /* 0xd4 */ {NULL
, NULL
},
10976 /* 0xd5 */ {NULL
, NULL
},
10977 /* 0xd6 */ {NULL
, NULL
},
10978 /* 0xd7 */ {NULL
, NULL
},
10979 /* 0xd8 */ {NULL
, NULL
},
10980 /* 0xd9 */ {NULL
, NULL
},
10981 /* 0xda */ {NULL
, NULL
},
10982 /* 0xdb */ {NULL
, NULL
},
10983 /* 0xdc */ {NULL
, NULL
},
10984 /* 0xdd */ {NULL
, NULL
},
10985 /* 0xde */ {NULL
, NULL
},
10986 /* 0xdf */ {NULL
, NULL
},
10987 /* 0xe0 */ {NULL
, NULL
},
10988 /* 0xe1 */ {NULL
, NULL
},
10989 /* 0xe2 */ {NULL
, NULL
},
10990 /* 0xe3 */ {NULL
, NULL
},
10991 /* 0xe4 */ {NULL
, NULL
},
10992 /* 0xe5 */ {NULL
, NULL
},
10993 /* 0xe6 */ {NULL
, NULL
},
10994 /* 0xe7 */ {NULL
, NULL
},
10995 /* 0xe8 */ {NULL
, NULL
},
10996 /* 0xe9 */ {NULL
, NULL
},
10997 /* 0xea */ {NULL
, NULL
},
10998 /* 0xeb */ {NULL
, NULL
},
10999 /* 0xec */ {NULL
, NULL
},
11000 /* 0xed */ {NULL
, NULL
},
11001 /* 0xee */ {NULL
, NULL
},
11002 /* 0xef */ {NULL
, NULL
},
11003 /* 0xf0 */ {NULL
, NULL
},
11004 /* 0xf1 */ {NULL
, NULL
},
11005 /* 0xf2 */ {NULL
, NULL
},
11006 /* 0xf3 */ {NULL
, NULL
},
11007 /* 0xf4 */ {NULL
, NULL
},
11008 /* 0xf5 */ {NULL
, NULL
},
11009 /* 0xf6 */ {NULL
, NULL
},
11010 /* 0xf7 */ {NULL
, NULL
},
11011 /* 0xf8 */ {NULL
, NULL
},
11012 /* 0xf9 */ {NULL
, NULL
},
11013 /* 0xfa */ {NULL
, NULL
},
11014 /* 0xfb */ {NULL
, NULL
},
11015 /* 0xfc */ {NULL
, NULL
},
11016 /* 0xfd */ {NULL
, NULL
},
11017 /* 0xfe */ {NULL
, NULL
},
11018 /* 0xff */ {NULL
, NULL
},
11022 #define SMB3_AES128CCM_NONCE 11
11023 #define SMB3_AES128GCM_NONCE 12
11025 static bool is_decrypted_header_ok(uint8_t *p
, size_t size
)
11030 if ((p
[0] == SMB2_COMP_HEADER
|| p
[0] == SMB2_NORM_HEADER
)
11031 && (p
[1] == 'S' || p
[2] == 'M' || p
[3] == 'B')) {
11035 DEBUG("decrypt: bad SMB header");
11040 do_decrypt(uint8_t *data
,
11042 const uint8_t *key
,
11043 const uint8_t *aad
,
11045 const uint8_t *nonce
,
11049 gcry_cipher_hd_t cipher_hd
= NULL
;
11054 uint64_t lengths
[3];
11057 case SMB2_CIPHER_AES_128_CCM
:
11058 algo
= GCRY_CIPHER_AES128
;
11059 keylen
= AES_KEY_SIZE
;
11060 mode
= GCRY_CIPHER_MODE_CCM
;
11061 iv_size
= SMB3_AES128CCM_NONCE
;
11063 case SMB2_CIPHER_AES_128_GCM
:
11064 algo
= GCRY_CIPHER_AES128
;
11065 keylen
= AES_KEY_SIZE
;
11066 mode
= GCRY_CIPHER_MODE_GCM
;
11067 iv_size
= SMB3_AES128GCM_NONCE
;
11069 case SMB2_CIPHER_AES_256_CCM
:
11070 algo
= GCRY_CIPHER_AES256
;
11071 keylen
= AES_KEY_SIZE
*2;
11072 mode
= GCRY_CIPHER_MODE_CCM
;
11073 iv_size
= SMB3_AES128CCM_NONCE
;
11075 case SMB2_CIPHER_AES_256_GCM
:
11076 algo
= GCRY_CIPHER_AES256
;
11077 keylen
= AES_KEY_SIZE
*2;
11078 mode
= GCRY_CIPHER_MODE_GCM
;
11079 iv_size
= SMB3_AES128GCM_NONCE
;
11085 /* Open the cipher */
11086 err
= gcry_cipher_open(&cipher_hd
, algo
, mode
, 0);
11087 if (err
!= GPG_ERR_NO_ERROR
) {
11088 DEBUG("GCRY: open %s/%s", gcry_strsource(err
), gcry_strerror(err
));
11093 err
= gcry_cipher_setkey(cipher_hd
, key
, keylen
);
11094 if (err
!= GPG_ERR_NO_ERROR
) {
11095 DEBUG("GCRY: setkey %s/%s", gcry_strsource(err
), gcry_strerror(err
));
11096 gcry_cipher_close(cipher_hd
);
11100 /* Set the initial value */
11101 err
= gcry_cipher_setiv(cipher_hd
, nonce
, iv_size
);
11102 if (err
!= GPG_ERR_NO_ERROR
) {
11103 DEBUG("GCRY: setiv %s/%s", gcry_strsource(err
), gcry_strerror(err
));
11104 gcry_cipher_close(cipher_hd
);
11108 lengths
[0] = data_size
; /* encrypted length */
11109 lengths
[1] = aad_size
; /* AAD length */
11110 lengths
[2] = 16; /* tag length (signature size) */
11112 if (mode
== GCRY_CIPHER_MODE_CCM
) {
11113 err
= gcry_cipher_ctl(cipher_hd
, GCRYCTL_SET_CCM_LENGTHS
, lengths
, sizeof(lengths
));
11114 if (err
!= GPG_ERR_NO_ERROR
) {
11115 DEBUG("GCRY: ctl %s/%s", gcry_strsource(err
), gcry_strerror(err
));
11116 gcry_cipher_close(cipher_hd
);
11121 err
= gcry_cipher_authenticate(cipher_hd
, aad
, aad_size
);
11122 if (err
!= GPG_ERR_NO_ERROR
) {
11123 DEBUG("GCRY: auth %s/%s", gcry_strsource(err
), gcry_strerror(err
));
11124 gcry_cipher_close(cipher_hd
);
11128 err
= gcry_cipher_decrypt(cipher_hd
, data
, data_size
, NULL
, 0);
11129 if (err
!= GPG_ERR_NO_ERROR
) {
11130 DEBUG("GCRY: decrypt %s/%s", gcry_strsource(err
), gcry_strerror(err
));
11131 gcry_cipher_close(cipher_hd
);
11135 /* Done with the cipher */
11136 gcry_cipher_close(cipher_hd
);
11137 return is_decrypted_header_ok(data
, data_size
);
11141 decrypt_smb_payload(packet_info
*pinfo
,
11142 tvbuff_t
*tvb
, int offset
,
11144 smb2_transform_info_t
*sti
)
11146 const uint8_t *aad
= NULL
;
11147 uint8_t *data
= NULL
;
11148 uint8_t *key16
= NULL
;
11149 uint8_t *keys16
[2];
11150 uint8_t *key32
= NULL
;
11151 uint8_t *keys32
[2];
11156 /* AAD is the rest of transform header after the ProtocolID and Signature */
11159 if ((unsigned)tvb_captured_length_remaining(tvb
, offset
) < sti
->size
)
11162 if (tvb_captured_length_remaining(tvb
, offset_aad
) < aad_size
)
11165 if (pinfo
->destport
== sti
->session
->server_port
) {
11166 keys16
[0] = sti
->session
->server_decryption_key16
;
11167 keys16
[1] = sti
->session
->client_decryption_key16
;
11168 keys32
[0] = sti
->session
->server_decryption_key32
;
11169 keys32
[1] = sti
->session
->client_decryption_key32
;
11171 keys16
[1] = sti
->session
->server_decryption_key16
;
11172 keys16
[0] = sti
->session
->client_decryption_key16
;
11173 keys32
[1] = sti
->session
->server_decryption_key32
;
11174 keys32
[0] = sti
->session
->client_decryption_key32
;
11177 aad
= tvb_get_ptr(tvb
, offset_aad
, aad_size
);
11178 data
= (uint8_t *)tvb_memdup(pinfo
->pool
, tvb
, offset
, sti
->size
);
11181 * In SMB3.0 the transform header had a Algorithm field to
11182 * know which type of encryption was used but only CCM was
11185 * SMB3.1.1 turned that field into a generic "Encrypted" flag
11186 * which cannot be used to determine the encryption
11187 * type. Instead the type is decided in the NegProt response,
11188 * within the Encryption Capability context which should only
11189 * have one element. That element is saved in the conversation
11190 * struct (si->conv) and checked here.
11192 * If the trace didn't contain NegProt packets, we have to
11193 * guess the encryption type by trying them all.
11195 * Similarly, if we don't have unencrypted packets telling us
11196 * which host is the server and which host is the client, we
11197 * have to guess by trying both keys.
11200 DEBUG("dialect 0x%x alg 0x%x conv alg 0x%x", sti
->conv
->dialect
, sti
->flags
, sti
->conv
->enc_alg
);
11202 for (unsigned i
= 0; i
< G_N_ELEMENTS(keys16
); i
++) {
11203 bool try_ccm16
, try_gcm16
;
11204 bool try_ccm32
, try_gcm32
;
11205 try_ccm16
= try_gcm16
= false;
11206 try_ccm32
= try_gcm32
= false;
11212 switch (sti
->conv
->enc_alg
) {
11213 case SMB2_CIPHER_AES_128_CCM
:
11216 case SMB2_CIPHER_AES_128_GCM
:
11219 case SMB2_CIPHER_AES_256_CCM
:
11222 case SMB2_CIPHER_AES_256_GCM
:
11226 /* we don't know, try all */
11234 uint8_t *key
= key16
;
11235 DEBUG("trying AES-128-GCM decryption");
11236 alg
= SMB2_CIPHER_AES_128_GCM
;
11237 tvb_memcpy(tvb
, data
, offset
, sti
->size
);
11238 ok
= do_decrypt(data
, sti
->size
, key
, aad
, aad_size
, sti
->nonce
, alg
);
11241 DEBUG("bad decrypted buffer with AES-128-GCM");
11244 uint8_t *key
= key16
;
11245 DEBUG("trying AES-128-CCM decryption");
11246 alg
= SMB2_CIPHER_AES_128_CCM
;
11247 ok
= do_decrypt(data
, sti
->size
, key
, aad
, aad_size
, sti
->nonce
, alg
);
11250 DEBUG("bad decrypted buffer with AES-128-CCM");
11253 uint8_t *key
= key32
;
11254 DEBUG("trying AES-256-GCM decryption");
11255 alg
= SMB2_CIPHER_AES_256_GCM
;
11256 tvb_memcpy(tvb
, data
, offset
, sti
->size
);
11257 ok
= do_decrypt(data
, sti
->size
, key
, aad
, aad_size
, sti
->nonce
, alg
);
11260 DEBUG("bad decrypted buffer with AES-256-GCM");
11263 uint8_t *key
= key32
;
11264 DEBUG("trying AES-256-CCM decryption");
11265 alg
= SMB2_CIPHER_AES_256_CCM
;
11266 ok
= do_decrypt(data
, sti
->size
, key
, aad
, aad_size
, sti
->nonce
, alg
);
11269 DEBUG("bad decrypted buffer with AES-256-CCM");
11271 DEBUG("trying to decrypt with swapped client/server keys");
11272 tvb_memcpy(tvb
, data
, offset
, sti
->size
);
11278 /* Remember what worked */
11279 sti
->conv
->enc_alg
= alg
;
11280 if (key16
== sti
->session
->server_decryption_key16
)
11281 sti
->session
->server_port
= pinfo
->destport
;
11283 sti
->session
->server_port
= pinfo
->srcport
;
11288 Append tvb[offset:offset+length] to out
11291 append_uncompress_data(wmem_array_t
*out
, tvbuff_t
*tvb
, int offset
, unsigned length
)
11293 const uint8_t *ptr
= tvb_get_ptr(tvb
, offset
, length
);
11295 wmem_array_append(out
, tvb_get_ptr(tvb
, offset
, length
), length
);
11299 dissect_smb2_compression_pattern_v1(proto_tree
*tree
,
11300 tvbuff_t
*tvb
, int offset
, int length
,
11303 proto_item
*pat_item
;
11304 proto_tree
*pat_tree
;
11305 unsigned pattern
, times
;
11307 pat_tree
= proto_tree_add_subtree_format(tree
, tvb
, offset
, length
,
11308 ett_smb2_comp_pattern_v1
, &pat_item
,
11311 proto_tree_add_item_ret_uint(pat_tree
, hf_smb2_comp_pattern_v1_pattern
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
, &pattern
);
11314 proto_tree_add_item(pat_tree
, hf_smb2_comp_pattern_v1_reserved1
, tvb
, offset
, 1, ENC_LITTLE_ENDIAN
);
11317 proto_tree_add_item(pat_tree
, hf_smb2_comp_pattern_v1_reserved2
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
11320 proto_tree_add_item_ret_uint(pat_tree
, hf_smb2_comp_pattern_v1_repetitions
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, ×
);
11323 proto_item_append_text(pat_item
, " 0x%02x repeated %u times", pattern
, times
);
11325 if (out
&& times
< MAX_UNCOMPRESSED_SIZE
) {
11326 uint8_t v
= (uint8_t)pattern
;
11328 for (unsigned i
= 0; i
< times
; i
++)
11329 wmem_array_append(out
, &v
, 1);
11336 dissect_smb2_chained_comp_payload(packet_info
*pinfo
, proto_tree
*tree
,
11337 tvbuff_t
*tvb
, int offset
,
11341 proto_tree
*subtree
;
11342 proto_item
*subitem
;
11343 unsigned alg
, length
, flags
, orig_size
= 0;
11344 tvbuff_t
*uncomp_tvb
= NULL
;
11345 bool lz_based
= false;
11349 subtree
= proto_tree_add_subtree_format(tree
, tvb
, offset
, 0, ett_smb2_comp_payload
, &subitem
, "COMPRESSION_PAYLOAD_HEADER");
11350 proto_tree_add_item_ret_uint(subtree
, hf_smb2_comp_transform_comp_alg
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &alg
);
11353 proto_tree_add_item_ret_uint(subtree
, hf_smb2_comp_transform_flags
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &flags
);
11356 proto_tree_add_item_ret_uint(subtree
, hf_smb2_comp_transform_length
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &length
);
11359 proto_item_set_len(subitem
, length
);
11361 lz_based
= (SMB2_COMP_ALG_LZNT1
<= alg
&& alg
<= SMB2_COMP_ALG_LZ77HUFF
);
11363 proto_tree_add_item_ret_uint(subtree
, hf_smb2_comp_transform_orig_payload_size
,
11364 tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &orig_size
);
11369 if (length
> MAX_UNCOMPRESSED_SIZE
) {
11370 /* decompression error */
11371 col_append_str(pinfo
->cinfo
, COL_INFO
, "Comp. SMB3 (invalid)");
11377 case SMB2_COMP_ALG_NONE
:
11378 append_uncompress_data(out
, tvb
, offset
, length
);
11380 case SMB2_COMP_ALG_LZ77
:
11381 uncomp_tvb
= tvb_uncompress_lz77(tvb
, offset
, length
);
11383 case SMB2_COMP_ALG_LZ77HUFF
:
11384 uncomp_tvb
= tvb_uncompress_lz77huff(tvb
, offset
, length
);
11386 case SMB2_COMP_ALG_LZNT1
:
11387 uncomp_tvb
= tvb_uncompress_lznt1(tvb
, offset
, length
);
11389 case SMB2_COMP_ALG_PATTERN_V1
:
11390 dissect_smb2_compression_pattern_v1(subtree
, tvb
, offset
, length
, out
);
11393 col_append_str(pinfo
->cinfo
, COL_INFO
, "Comp. SMB3 (unknown)");
11399 if (!uncomp_tvb
|| tvb_reported_length(uncomp_tvb
) != orig_size
) {
11400 /* decompression error */
11401 col_append_str(pinfo
->cinfo
, COL_INFO
, "Comp. SMB3 (invalid)");
11405 append_uncompress_data(out
, uncomp_tvb
, 0, tvb_reported_length(uncomp_tvb
));
11410 tvb_free(uncomp_tvb
);
11411 proto_tree_add_item(subtree
, hf_smb2_comp_transform_data
, tvb
, offset
, length
, ENC_NA
);
11418 dissect_smb2_comp_transform_header(packet_info
*pinfo
, proto_tree
*tree
,
11419 tvbuff_t
*tvb
, int offset
,
11420 smb2_comp_transform_info_t
*scti
,
11421 tvbuff_t
**comp_tvb
,
11422 tvbuff_t
**plain_tvb
)
11425 tvbuff_t
*uncomp_tvb
= NULL
;
11427 wmem_array_t
*uncomp_data
;
11433 "old" compressed method:
11435 [COMPRESS_TRANSFORM_HEADER with Flags=0]
11436 [OPTIONAL UNCOMPRESSED DATA]
11439 new "chained" compressed method:
11441 [fist 8 bytes of COMPRESS_TRANSFORM_HEADER with Flags=CHAINED]
11443 [ COMPRESSION_PAYLOAD_HEADER ]
11444 [ COMPRESSED PAYLOAD ]
11448 /* SMB2_COMPRESSION_TRANSFORM marker */
11449 proto_tree_add_item(tree
, hf_smb2_protocol_id
, tvb
, offset
, 4, ENC_BIG_ENDIAN
);
11452 proto_tree_add_item_ret_uint(tree
, hf_smb2_comp_transform_orig_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &scti
->orig_size
);
11455 uncomp_data
= wmem_array_sized_new(pinfo
->pool
, 1, 1024);
11457 flags
= tvb_get_letohs(tvb
, offset
+2);
11458 if (flags
& SMB2_COMP_FLAG_CHAINED
) {
11459 bool all_ok
= true;
11461 *comp_tvb
= tvb_new_subset_length(tvb
, offset
, tvb_reported_length_remaining(tvb
, offset
));
11465 offset
= dissect_smb2_chained_comp_payload(pinfo
, tree
, tvb
, offset
, uncomp_data
, &ok
);
11468 } while (tvb_reported_length_remaining(tvb
, offset
) > 8);
11470 goto decompression_ok
;
11476 proto_tree_add_item_ret_uint(tree
, hf_smb2_comp_transform_comp_alg
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &scti
->alg
);
11479 proto_tree_add_item_ret_uint(tree
, hf_smb2_comp_transform_flags
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
, &flags
);
11482 proto_tree_add_item_ret_uint(tree
, hf_smb2_comp_transform_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
, &scti
->comp_offset
);
11485 *comp_tvb
= tvb_new_subset_length(tvb
, offset
, tvb_reported_length_remaining(tvb
, offset
));
11487 if (scti
->orig_size
> MAX_UNCOMPRESSED_SIZE
|| scti
->comp_offset
> MAX_UNCOMPRESSED_SIZE
) {
11488 col_append_str(pinfo
->cinfo
, COL_INFO
, "Comp. SMB3 (too big)");
11493 * final uncompressed size is the partial normal packet + uncompressed segment
11494 * final_size = scti->orig_size + scti->comp_offset
11497 append_uncompress_data(uncomp_data
, tvb
, offset
, scti
->comp_offset
);
11498 in_size
= tvb_reported_length_remaining(tvb
, offset
+ scti
->comp_offset
);
11500 /* decompress compressed segment */
11501 switch (scti
->alg
) {
11502 case SMB2_COMP_ALG_LZ77
:
11503 uncomp_tvb
= tvb_uncompress_lz77(tvb
, offset
+ scti
->comp_offset
, in_size
);
11505 case SMB2_COMP_ALG_LZ77HUFF
:
11506 uncomp_tvb
= tvb_uncompress_lz77huff(tvb
, offset
+ scti
->comp_offset
, in_size
);
11508 case SMB2_COMP_ALG_LZNT1
:
11509 uncomp_tvb
= tvb_uncompress_lznt1(tvb
, offset
+ scti
->comp_offset
, in_size
);
11512 col_append_str(pinfo
->cinfo
, COL_INFO
, "Comp. SMB3 (unknown)");
11517 if (!uncomp_tvb
|| tvb_reported_length(uncomp_tvb
) != scti
->orig_size
) {
11518 /* decompression error */
11519 col_append_str(pinfo
->cinfo
, COL_INFO
, "Comp. SMB3 (invalid)");
11523 /* write decompressed segment at the end of partial packet */
11524 append_uncompress_data(uncomp_data
, uncomp_tvb
, 0, scti
->orig_size
);
11527 col_append_str(pinfo
->cinfo
, COL_INFO
, "Decomp. SMB3");
11528 *plain_tvb
= tvb_new_child_real_data(tvb
,
11529 (uint8_t *)wmem_array_get_raw(uncomp_data
),
11530 wmem_array_get_count(uncomp_data
),
11531 wmem_array_get_count(uncomp_data
));
11532 add_new_data_source(pinfo
, *plain_tvb
, "Decomp. SMB3");
11536 tvb_free(uncomp_tvb
);
11541 dissect_smb2_transform_header(packet_info
*pinfo
, proto_tree
*tree
,
11542 tvbuff_t
*tvb
, int offset
,
11543 smb2_transform_info_t
*sti
,
11544 tvbuff_t
**enc_tvb
, tvbuff_t
**plain_tvb
)
11546 proto_item
*sesid_item
= NULL
;
11547 proto_tree
*sesid_tree
= NULL
;
11549 uint8_t *plain_data
= NULL
;
11556 proto_tree_add_item(tree
, hf_smb2_transform_signature
, tvb
, offset
, 16, ENC_NA
);
11559 offset_aad
= offset
;
11562 proto_tree_add_item(tree
, hf_smb2_transform_nonce
, tvb
, offset
, 16, ENC_NA
);
11563 tvb_memcpy(tvb
, sti
->nonce
, offset
, 16);
11567 proto_tree_add_item(tree
, hf_smb2_transform_msg_size
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
11568 sti
->size
= tvb_get_letohl(tvb
, offset
);
11572 proto_tree_add_item(tree
, hf_smb2_transform_reserved
, tvb
, offset
, 2, ENC_NA
);
11576 proto_tree_add_bitmask(tree
, tvb
, offset
, hf_smb2_transform_flags
,
11577 ett_smb2_transform_flags
,
11578 smb2_transform_flags
, ENC_LITTLE_ENDIAN
);
11579 sti
->flags
= tvb_get_letohs(tvb
, offset
);
11583 sesid_offset
= offset
;
11584 sti
->sesid
= tvb_get_letoh64(tvb
, offset
);
11585 sesid_item
= proto_tree_add_item(tree
, hf_smb2_sesid
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
11586 sesid_tree
= proto_item_add_subtree(sesid_item
, ett_smb2_sesid_tree
);
11589 /* now we need to first lookup the uid session */
11590 sti
->session
= smb2_get_session(sti
->conv
, sti
->sesid
, NULL
, NULL
);
11591 smb2_add_session_info(sesid_tree
, sesid_item
, tvb
, sesid_offset
, sti
->session
);
11593 if (sti
->flags
& SMB2_TRANSFORM_FLAGS_ENCRYPTED
) {
11594 plain_data
= decrypt_smb_payload(pinfo
, tvb
, offset
, offset_aad
, sti
);
11596 *enc_tvb
= tvb_new_subset_length(tvb
, offset
, sti
->size
);
11598 if (plain_data
!= NULL
) {
11599 *plain_tvb
= tvb_new_child_real_data(*enc_tvb
, plain_data
, sti
->size
, sti
->size
);
11600 add_new_data_source(pinfo
, *plain_tvb
, "Decrypted SMB3");
11603 offset
+= sti
->size
;
11607 static const char *
11608 get_special_packet_title(uint16_t cmd
, uint32_t flags
, uint64_t msg_id
, tvbuff_t
*tvb
, int offset
)
11610 /* for some types of packets we don't have request/response packets but something else
11611 * to show more correct names while displaying them we use this logic to override standard naming convention
11614 uint16_t buffer_code
;
11615 /* detect oplock/lease break packets */
11616 if (cmd
!= SMB2_COM_BREAK
) {
11620 buffer_code
= tvb_get_letohs(tvb
, offset
);
11621 if (flags
& SMB2_FLAGS_RESPONSE
) {
11622 switch (buffer_code
) {
11623 case OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE
:
11624 /* note - Notification and Response packets for Oplock Break are equivalent,
11625 * we can distinguish them only via msg_id value */
11626 if (msg_id
== 0xFFFFFFFFFFFFFFFF) /* see [MS-SMB2] 3.3.4.6 Object Store Indicates an Oplock Break */
11627 return "Oplock Break Notification";
11629 return "Oplock Break Response";
11630 case OPLOCK_BREAK_LEASE_NOTIFICATION_STRUCTURE_SIZE
:
11631 return "Lease Break Notification";
11632 case OPLOCK_BREAK_LEASE_RESPONSE_STRUCTURE_SIZE
:
11633 return "Lease Break Response";
11636 switch (buffer_code
) {
11637 case OPLOCK_BREAK_OPLOCK_STRUCTURE_SIZE
:
11638 return "Oplock Break Acknowledgment";
11639 case OPLOCK_BREAK_LEASE_ACKNOWLEDGMENT_STRUCTURE_SIZE
:
11640 return "Lease Break Acknowledgment";
11643 /* return back to standard notation if we can't detect packet type of break packet */
11648 dissect_smb2_command(packet_info
*pinfo
, proto_tree
*tree
, tvbuff_t
*tvb
, int offset
, smb2_info_t
*si
)
11650 int (*cmd_dissector
)(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*tree
, int offset
, smb2_info_t
*si
);
11651 proto_item
*cmd_item
;
11652 proto_tree
*cmd_tree
;
11653 int old_offset
= offset
;
11654 const char *packet_title
= get_special_packet_title(si
->opcode
, si
->flags
, si
->msg_id
, tvb
, offset
);
11656 if (packet_title
) {
11657 cmd_tree
= proto_tree_add_subtree_format(tree
, tvb
, offset
, -1,
11658 ett_smb2_command
, &cmd_item
, "%s (0x%02x)",
11662 cmd_tree
= proto_tree_add_subtree_format(tree
, tvb
, offset
, -1,
11663 ett_smb2_command
, &cmd_item
, "%s %s (0x%02x)",
11664 decode_smb2_name(si
->opcode
),
11665 (si
->flags
& SMB2_FLAGS_RESPONSE
)?"Response":"Request",
11669 cmd_dissector
= (si
->flags
& SMB2_FLAGS_RESPONSE
)?
11670 smb2_dissector
[si
->opcode
&0xff].response
:
11671 smb2_dissector
[si
->opcode
&0xff].request
;
11672 if (cmd_dissector
) {
11673 offset
= (*cmd_dissector
)(tvb
, pinfo
, cmd_tree
, offset
, si
);
11675 proto_tree_add_item(cmd_tree
, hf_smb2_unknown
, tvb
, offset
, -1, ENC_NA
);
11676 offset
= tvb_captured_length(tvb
);
11679 proto_item_set_len(cmd_item
, offset
-old_offset
);
11685 dissect_smb2_tid_sesid(packet_info
*pinfo _U_
, proto_tree
*tree
, tvbuff_t
*tvb
, int offset
, smb2_info_t
*si
)
11687 proto_item
*tid_item
= NULL
;
11688 proto_tree
*tid_tree
= NULL
;
11689 smb2_tid_info_t tid_key
;
11690 int tid_offset
= 0;
11691 proto_item
*sesid_item
= NULL
;
11692 proto_tree
*sesid_tree
= NULL
;
11693 smb2_sesid_info_t sesid_key
;
11698 if (si
->flags
&SMB2_FLAGS_ASYNC_CMD
) {
11699 proto_tree_add_item(tree
, hf_smb2_aid
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
11703 proto_tree_add_item(tree
, hf_smb2_header_reserved
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
11707 tid_offset
= offset
;
11708 si
->tid
= tvb_get_letohl(tvb
, offset
);
11709 tid_item
= proto_tree_add_item(tree
, hf_smb2_tid
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
11710 tid_tree
= proto_item_add_subtree(tid_item
, ett_smb2_tid_tree
);
11715 sesid_offset
= offset
;
11716 si
->sesid
= tvb_get_letoh64(tvb
, offset
);
11717 sesid_item
= proto_tree_add_item(tree
, hf_smb2_sesid
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
11718 sesid_tree
= proto_item_add_subtree(sesid_item
, ett_smb2_sesid_tree
);
11721 /* now we need to first lookup the uid session */
11722 sesid_key
.sesid
= si
->sesid
;
11723 si
->session
= (smb2_sesid_info_t
*)wmem_map_lookup(smb2_sessions
, &sesid_key
);
11724 if (!si
->session
) {
11725 si
->session
= smb2_get_session(si
->conv
, si
->sesid
, pinfo
, si
);
11729 smb2_add_session_info(sesid_tree
, sesid_item
, tvb
, sesid_offset
, si
->session
);
11731 if (!(si
->flags
&SMB2_FLAGS_ASYNC_CMD
)) {
11732 /* see if we can find the name for this tid */
11733 tid_key
.tid
= si
->tid
;
11734 si
->tree
= (smb2_tid_info_t
*)wmem_map_lookup(si
->session
->tids
, &tid_key
);
11735 if (!si
->tree
) return offset
;
11737 item
= proto_tree_add_string(tid_tree
, hf_smb2_tree
, tvb
, tid_offset
, 4, si
->tree
->name
);
11738 proto_item_set_generated(item
);
11739 proto_item_append_text(tid_item
, " %s", si
->tree
->name
);
11741 item
= proto_tree_add_uint(tid_tree
, hf_smb2_share_type
, tvb
, tid_offset
, 0, si
->tree
->share_type
);
11742 proto_item_set_generated(item
);
11744 item
= proto_tree_add_uint(tid_tree
, hf_smb2_tcon_frame
, tvb
, tid_offset
, 0, si
->tree
->connect_frame
);
11745 proto_item_set_generated(item
);
11747 item
= proto_tree_add_uint(tid_tree
, hf_smb2_tdcon_frame
, tvb
, tid_offset
, 0, si
->tree
->disconnect_frame
);
11748 proto_item_set_generated(item
);
11756 dissect_smb2_signature(packet_info
*pinfo
, tvbuff_t
*tvb
, int offset
, proto_tree
*tree
, smb2_info_t
*si
)
11758 proto_item
*item
= NULL
;
11759 proto_tree
*stree
= NULL
;
11762 uint8_t mac
[NTLMSSP_KEY_LEN
] = { 0, };
11763 size_t len
= NTLMSSP_KEY_LEN
;
11765 bool use_mac
= false;
11767 item
= proto_tree_add_item(tree
, hf_smb2_signature
, tvb
, offset
, 16, ENC_NA
);
11769 if (!si
|| !si
->session
||!si
->conv
)
11772 if (!smb2_verify_signatures
|| !(si
->flags
& SMB2_FLAGS_SIGNATURE
))
11775 if (memcmp(si
->session
->signing_key
, zeros
, NTLMSSP_KEY_LEN
) == 0) {
11779 if (tvb_reported_length(tvb
) > tvb_captured_length(tvb
))
11782 remaining
= tvb_reported_length_remaining(tvb
, offset
+ NTLMSSP_KEY_LEN
);
11784 if (si
->conv
->sign_alg
== SMB2_SIGNING_ALG_HMAC_SHA256
) {
11785 err
= gcry_mac_open(&md
, GCRY_MAC_HMAC_SHA256
, 0, NULL
);
11789 } else if (si
->conv
->sign_alg
== SMB2_SIGNING_ALG_AES_CMAC
) {
11790 err
= gcry_mac_open(&md
, GCRY_MAC_CMAC_AES
, 0, NULL
);
11797 gcry_mac_setkey(md
, si
->session
->signing_key
, len
);
11798 gcry_mac_write(md
, tvb_get_ptr(tvb
, 0, 48), 48);
11799 gcry_mac_write(md
, zeros
, NTLMSSP_KEY_LEN
);
11800 gcry_mac_write(md
, tvb_get_ptr(tvb
, offset
+ NTLMSSP_KEY_LEN
, remaining
), remaining
);
11801 gcry_mac_read(md
, &mac
[0], &len
);
11802 gcry_mac_close(md
);
11805 stree
= proto_item_add_subtree(item
, ett_smb2_signature
);
11807 if (memcmp(&mac
[0], tvb_get_ptr(tvb
, offset
, NTLMSSP_KEY_LEN
), NTLMSSP_KEY_LEN
) == 0) {
11808 proto_tree_add_item(stree
, hf_smb2_good_signature
, tvb
, offset
, 16, ENC_NA
);
11809 return; /* signature matched */
11812 item
= proto_tree_add_item(stree
, hf_smb2_bad_signature
, tvb
, offset
, 16, ENC_NA
);
11813 proto_item_append_text(item
, " ");
11814 for (i
= 0; i
< NTLMSSP_KEY_LEN
; i
++)
11815 proto_item_append_text(item
, "%02x", mac
[i
]);
11816 proto_item_set_generated(item
);
11817 expert_add_info(pinfo
, item
, &ei_smb2_invalid_signature
);
11823 // NOLINTNEXTLINE(misc-no-recursion)
11824 dissect_smb2(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, bool first_in_chain
)
11827 proto_item
*item
= NULL
;
11828 proto_tree
*tree
= NULL
;
11829 proto_item
*header_item
= NULL
;
11830 proto_tree
*header_tree
= NULL
;
11832 int chain_offset
= 0;
11833 const char *label
= smb_header_label
;
11834 conversation_t
*conversation
;
11835 smb2_saved_info_t
*ssi
= NULL
, ssi_key
;
11837 smb2_transform_info_t
*sti
;
11838 smb2_comp_transform_info_t
*scti
;
11840 uint32_t open_frame
,close_frame
;
11841 smb2_eo_file_info_t
*eo_file_info
;
11842 e_ctx_hnd
*policy_hnd_hashtablekey
;
11843 const char *packet_title
;
11845 sti
= wmem_new(pinfo
->pool
, smb2_transform_info_t
);
11846 scti
= wmem_new(pinfo
->pool
, smb2_comp_transform_info_t
);
11847 si
= wmem_new0(pinfo
->pool
, smb2_info_t
);
11848 si
->top_tree
= parent_tree
;
11850 msg_type
= tvb_get_uint8(tvb
, 0);
11852 switch (msg_type
) {
11853 case SMB2_COMP_HEADER
:
11854 label
= smb_comp_transform_header_label
;
11856 case SMB2_ENCR_HEADER
:
11857 label
= smb_transform_header_label
;
11859 case SMB2_NORM_HEADER
:
11860 label
= smb_header_label
;
11863 label
= smb_bad_header_label
;
11867 increment_dissection_depth(pinfo
);
11869 /* find which conversation we are part of and get the data for that
11872 conversation
= find_or_create_conversation(pinfo
);
11873 si
->conv
= (smb2_conv_info_t
*)conversation_get_proto_data(conversation
, proto_smb2
);
11875 /* no smb2_into_t structure for this conversation yet,
11878 si
->conv
= wmem_new0(wmem_file_scope(), smb2_conv_info_t
);
11879 /* qqq this leaks memory for now since we never free
11881 si
->conv
->matched
= g_hash_table_new(smb2_saved_info_hash_matched
,
11882 smb2_saved_info_equal_matched
);
11883 si
->conv
->unmatched
= g_hash_table_new(smb2_saved_info_hash_unmatched
,
11884 smb2_saved_info_equal_unmatched
);
11885 si
->conv
->preauth_hash_current
= si
->conv
->preauth_hash_con
;
11887 /* Bit of a hack to avoid leaking the hash tables - register a
11888 * callback to free them. Ideally wmem would implement a simple
11889 * hash table so we wouldn't have to do this. */
11890 wmem_register_callback(wmem_file_scope(), smb2_conv_destroy
,
11893 conversation_add_proto_data(conversation
, proto_smb2
, si
->conv
);
11896 sti
->conv
= si
->conv
;
11897 scti
->conv
= si
->conv
;
11899 col_set_str(pinfo
->cinfo
, COL_PROTOCOL
, "SMB2");
11900 if (first_in_chain
) {
11902 col_clear(pinfo
->cinfo
, COL_INFO
);
11904 col_append_str(pinfo
->cinfo
, COL_INFO
, "; ");
11907 item
= proto_tree_add_item(parent_tree
, proto_smb2
, tvb
, offset
, -1, ENC_NA
);
11908 tree
= proto_item_add_subtree(item
, ett_smb2
);
11910 header_tree
= proto_tree_add_subtree(tree
, tvb
, offset
, -1, ett_smb2_header
, &header_item
, label
);
11912 /* Decode the header */
11914 if (msg_type
== SMB2_NORM_HEADER
) {
11916 proto_tree_add_item(header_tree
, hf_smb2_protocol_id
, tvb
, offset
, 4, ENC_BIG_ENDIAN
);
11919 /* we need the flags before we know how to parse the credits field */
11920 si
->flags
= tvb_get_letohl(tvb
, offset
+12);
11922 /* header length */
11923 proto_tree_add_item(header_tree
, hf_smb2_header_len
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
11926 /* credit charge (previously "epoch" (unused) which has been deprecated as of "SMB 2.1") */
11927 proto_tree_add_item(header_tree
, hf_smb2_credit_charge
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
11931 if (si
->flags
& SMB2_FLAGS_RESPONSE
) {
11932 si
->status
= tvb_get_letohl(tvb
, offset
);
11933 proto_tree_add_item(header_tree
, hf_smb2_nt_status
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
11937 proto_tree_add_item(header_tree
, hf_smb2_channel_sequence
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
11939 proto_tree_add_item(header_tree
, hf_smb2_reserved
, tvb
, offset
, 2, ENC_NA
);
11944 si
->opcode
= tvb_get_letohs(tvb
, offset
);
11945 proto_tree_add_item(header_tree
, hf_smb2_cmd
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
11949 if (si
->flags
& SMB2_FLAGS_RESPONSE
) {
11950 proto_tree_add_item(header_tree
, hf_smb2_credits_granted
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
11952 proto_tree_add_item(header_tree
, hf_smb2_credits_requested
, tvb
, offset
, 2, ENC_LITTLE_ENDIAN
);
11958 static int * const flags
[] = {
11959 &hf_smb2_flags_response
,
11960 &hf_smb2_flags_async_cmd
,
11961 &hf_smb2_flags_chained
,
11962 &hf_smb2_flags_signature
,
11963 &hf_smb2_flags_priority_mask
,
11964 &hf_smb2_flags_dfs_op
,
11965 &hf_smb2_flags_replay_operation
,
11969 proto_tree_add_bitmask(header_tree
, tvb
, offset
, hf_smb2_flags
,
11970 ett_smb2_flags
, flags
, ENC_LITTLE_ENDIAN
);
11976 chain_offset
= tvb_get_letohl(tvb
, offset
);
11977 proto_tree_add_item(header_tree
, hf_smb2_chain_offset
, tvb
, offset
, 4, ENC_LITTLE_ENDIAN
);
11981 si
->msg_id
= tvb_get_letoh64(tvb
, offset
);
11982 ssi_key
.msg_id
= si
->msg_id
;
11983 proto_tree_add_item(header_tree
, hf_smb2_msg_id
, tvb
, offset
, 8, ENC_LITTLE_ENDIAN
);
11986 /* Tree ID and Session ID */
11987 offset
= dissect_smb2_tid_sesid(pinfo
, header_tree
, tvb
, offset
, si
);
11990 dissect_smb2_signature(pinfo
, tvb
, offset
, header_tree
, si
);
11992 proto_item_set_len(header_item
, offset
);
11994 /* Check if this is a special packet type and it has non-regular title */
11995 packet_title
= get_special_packet_title(si
->opcode
, si
->flags
, si
->msg_id
, tvb
, offset
);
11996 if (packet_title
) {
11997 col_append_str(pinfo
->cinfo
, COL_INFO
, packet_title
);
11999 /* Regular packets have standard title */
12000 col_append_fstr(pinfo
->cinfo
, COL_INFO
, "%s %s",
12001 decode_smb2_name(si
->opcode
),
12002 (si
->flags
& SMB2_FLAGS_RESPONSE
)?"Response":"Request");
12006 pinfo
->cinfo
, COL_INFO
, ", Error: %s",
12007 val_to_str_ext(si
->status
, &NT_errors_ext
,
12008 "Unknown (0x%08X)"));
12012 if (!pinfo
->fd
->visited
) {
12013 /* see if we can find this msg_id in the unmatched table */
12014 ssi
= (smb2_saved_info_t
*)g_hash_table_lookup(si
->conv
->unmatched
, &ssi_key
);
12016 if (!(si
->flags
& SMB2_FLAGS_RESPONSE
)) {
12017 /* This is a request */
12019 /* this is a request and we already found
12020 * an older ssi so just delete the previous
12023 g_hash_table_remove(si
->conv
->unmatched
, ssi
);
12028 /* no we couldn't find it, so just add it then
12029 * if was a request we are decoding
12031 ssi
= wmem_new0(wmem_file_scope(), smb2_saved_info_t
);
12032 ssi
->msg_id
= ssi_key
.msg_id
;
12033 ssi
->frame_req
= pinfo
->num
;
12034 ssi
->frame_res
= UINT32_MAX
;
12035 ssi
->req_time
= pinfo
->abs_ts
;
12036 ssi
->extra_info_type
= SMB2_EI_NONE
;
12037 g_hash_table_insert(si
->conv
->unmatched
, ssi
, ssi
);
12040 /* This is a response */
12041 if (!((si
->flags
& SMB2_FLAGS_ASYNC_CMD
)
12042 && si
->status
== NT_STATUS_PENDING
)
12044 /* just set the response frame and move it to the matched table */
12045 ssi
->frame_res
= pinfo
->num
;
12046 g_hash_table_remove(si
->conv
->unmatched
, ssi
);
12047 g_hash_table_insert(si
->conv
->matched
, ssi
, ssi
);
12051 /* see if we can find this msg_id in the matched table */
12052 ssi
= (smb2_saved_info_t
*)g_hash_table_lookup(si
->conv
->matched
, &ssi_key
);
12053 /* if we couldn't find it in the matched table, it might still
12054 * be in the unmatched table
12057 ssi
= (smb2_saved_info_t
*)g_hash_table_lookup(si
->conv
->unmatched
, &ssi_key
);
12062 if (dcerpc_fetch_polhnd_data(&ssi
->policy_hnd
, &fid_name
, NULL
, &open_frame
, &close_frame
, pinfo
->num
)) {
12063 /* If needed, create the file entry and save the policy hnd */
12064 if (!si
->eo_file_info
) {
12066 eo_file_info
= (smb2_eo_file_info_t
*)wmem_map_lookup(si
->session
->files
,&ssi
->policy_hnd
);
12067 if (!eo_file_info
) { /* XXX This should never happen */
12068 /* assert(1==0); */
12069 eo_file_info
= wmem_new(wmem_file_scope(), smb2_eo_file_info_t
);
12070 policy_hnd_hashtablekey
= wmem_new(wmem_file_scope(), e_ctx_hnd
);
12071 memcpy(policy_hnd_hashtablekey
, &ssi
->policy_hnd
, sizeof(e_ctx_hnd
));
12072 eo_file_info
->end_of_file
=0;
12073 wmem_map_insert(si
->session
->files
,policy_hnd_hashtablekey
,eo_file_info
);
12075 si
->eo_file_info
=eo_file_info
;
12081 if (!(si
->flags
& SMB2_FLAGS_RESPONSE
)) {
12082 if (ssi
->frame_res
!= UINT32_MAX
) {
12083 proto_item
*tmp_item
;
12084 tmp_item
= proto_tree_add_uint(header_tree
, hf_smb2_response_in
, tvb
, 0, 0, ssi
->frame_res
);
12085 proto_item_set_generated(tmp_item
);
12088 if (ssi
->frame_req
!= UINT32_MAX
) {
12089 proto_item
*tmp_item
;
12090 nstime_t t
, deltat
;
12092 tmp_item
= proto_tree_add_uint(header_tree
, hf_smb2_response_to
, tvb
, 0, 0, ssi
->frame_req
);
12093 proto_item_set_generated(tmp_item
);
12095 nstime_delta(&deltat
, &t
, &ssi
->req_time
);
12096 tmp_item
= proto_tree_add_time(header_tree
, hf_smb2_time
, tvb
,
12098 proto_item_set_generated(tmp_item
);
12101 if (si
->file
!= NULL
) {
12102 ssi
->file
= si
->file
;
12104 si
->file
= ssi
->file
;
12107 /* if we don't have ssi yet we must fake it */
12111 tap_queue_packet(smb2_tap
, pinfo
, si
);
12113 /* Decode the payload */
12114 offset
= dissect_smb2_command(pinfo
, tree
, tvb
, offset
, si
);
12115 } else if (msg_type
== SMB2_ENCR_HEADER
) {
12116 proto_tree
*enc_tree
;
12117 tvbuff_t
*enc_tvb
= NULL
;
12118 tvbuff_t
*plain_tvb
= NULL
;
12120 /* SMB2_TRANSFORM marker */
12121 proto_tree_add_item(header_tree
, hf_smb2_protocol_id
, tvb
, offset
, 4, ENC_BIG_ENDIAN
);
12124 offset
= dissect_smb2_transform_header(pinfo
, header_tree
, tvb
, offset
, sti
,
12125 &enc_tvb
, &plain_tvb
);
12127 enc_tree
= proto_tree_add_subtree(tree
, enc_tvb
, 0, sti
->size
, ett_smb2_encrypted
, NULL
, "Encrypted SMB3 data");
12128 if (plain_tvb
!= NULL
) {
12129 col_append_str(pinfo
->cinfo
, COL_INFO
, "Decrypted SMB3");
12130 dissect_smb2(plain_tvb
, pinfo
, enc_tree
, false);
12132 col_append_str(pinfo
->cinfo
, COL_INFO
, "Encrypted SMB3");
12133 proto_tree_add_item(enc_tree
, hf_smb2_transform_encrypted_data
,
12134 enc_tvb
, 0, sti
->size
, ENC_NA
);
12137 if (tvb_reported_length_remaining(tvb
, offset
) > 0) {
12138 chain_offset
= offset
;
12140 } else if (msg_type
== SMB2_COMP_HEADER
) {
12141 proto_tree
*comp_tree
;
12142 proto_item
*decomp_item
;
12143 tvbuff_t
*plain_tvb
= NULL
;
12144 tvbuff_t
*comp_tvb
= NULL
;
12146 offset
= dissect_smb2_comp_transform_header(pinfo
, header_tree
, tvb
, offset
,
12147 scti
, &comp_tvb
, &plain_tvb
);
12149 comp_tree
= proto_tree_add_subtree(header_tree
, tvb
, offset
,
12150 tvb_reported_length_remaining(tvb
, offset
),
12151 ett_smb2_compressed
, NULL
,
12152 "Compressed SMB3 data");
12153 proto_tree_add_item(comp_tree
, hf_smb2_comp_transform_data
,
12155 tvb_reported_length_remaining(tvb
, offset
),
12159 proto_tree
*decomp_tree
;
12161 decomp_tree
= proto_tree_add_subtree(header_tree
, plain_tvb
, 0,
12162 tvb_reported_length_remaining(plain_tvb
, 0),
12163 ett_smb2_decompressed
, &decomp_item
,
12164 "Decompressed SMB3 data");
12165 proto_item_set_generated(decomp_item
);
12166 dissect_smb2(plain_tvb
, pinfo
, decomp_tree
, false);
12169 offset
+= tvb_reported_length_remaining(tvb
, offset
);
12171 col_append_str(pinfo
->cinfo
, COL_INFO
, "Invalid header");
12173 /* bad packet after decompressing/decrypting */
12174 offset
+= tvb_reported_length_remaining(tvb
, offset
);
12177 if (chain_offset
> 0) {
12178 tvbuff_t
*next_tvb
;
12180 proto_item_set_len(item
, chain_offset
);
12182 next_tvb
= tvb_new_subset_remaining(tvb
, chain_offset
);
12183 offset
= dissect_smb2(next_tvb
, pinfo
, parent_tree
, false);
12186 decrement_dissection_depth(pinfo
);
12191 dissect_smb2_heur(tvbuff_t
*tvb
, packet_info
*pinfo
, proto_tree
*parent_tree
, void *data _U_
)
12195 /* must check that this really is a smb2 packet */
12196 if (tvb_captured_length(tvb
) < 4)
12199 b
= tvb_get_uint8(tvb
, 0);
12200 if (((b
!= SMB2_COMP_HEADER
) && (b
!= SMB2_ENCR_HEADER
) && (b
!= SMB2_NORM_HEADER
))
12201 || (tvb_get_uint8(tvb
, 1) != 'S')
12202 || (tvb_get_uint8(tvb
, 2) != 'M')
12203 || (tvb_get_uint8(tvb
, 3) != 'B') ) {
12207 dissect_smb2(tvb
, pinfo
, parent_tree
, true);
12213 proto_register_smb2(void)
12215 module_t
*smb2_module
;
12216 static hf_register_info hf
[] = {
12218 { "Command", "smb2.cmd", FT_UINT16
, BASE_DEC
| BASE_EXT_STRING
,
12219 &smb2_cmd_vals_ext
, 0, "SMB2 Command Opcode", HFILL
}
12222 { &hf_smb2_response_to
,
12223 { "Response to", "smb2.response_to", FT_FRAMENUM
, BASE_NONE
,
12224 FRAMENUM_TYPE(FT_FRAMENUM_REQUEST
), 0, "This packet is a response to the packet in this frame", HFILL
}
12227 { &hf_smb2_response_in
,
12228 { "Response in", "smb2.response_in", FT_FRAMENUM
, BASE_NONE
,
12229 FRAMENUM_TYPE(FT_FRAMENUM_RESPONSE
), 0, "The response to this packet is in this packet", HFILL
}
12233 { "Time from request", "smb2.time", FT_RELATIVE_TIME
, BASE_NONE
,
12234 NULL
, 0, "Time between Request and Response for SMB2 cmds", HFILL
}
12237 { &hf_smb2_preauth_hash
,
12238 { "Preauth Hash", "smb2.preauth_hash", FT_BYTES
, BASE_NONE
,
12239 NULL
, 0, "SMB3.1.1 pre-authentication SHA512 hash after hashing the packet", HFILL
}
12242 { &hf_smb2_header_len
,
12243 { "Header Length", "smb2.header_len", FT_UINT16
, BASE_DEC
,
12244 NULL
, 0, "SMB2 Size of Header", HFILL
}
12247 { &hf_smb2_nt_status
,
12248 { "NT Status", "smb2.nt_status", FT_UINT32
, BASE_HEX
| BASE_EXT_STRING
,
12249 &NT_errors_ext
, 0, "NT Status code", HFILL
}
12253 { "Message ID", "smb2.msg_id", FT_UINT64
, BASE_DEC
|BASE_VAL64_STRING
|BASE_SPECIAL_VALS
,
12254 VALS64(unique_unsolicited_response
), 0, NULL
, HFILL
}
12258 { "Tree Id", "smb2.tid", FT_UINT32
, BASE_HEX
,
12259 NULL
, 0, NULL
, HFILL
}
12263 { "Async Id", "smb2.aid", FT_UINT64
, BASE_HEX
,
12264 NULL
, 0, NULL
, HFILL
}
12268 { "Session Id", "smb2.sesid", FT_UINT64
, BASE_HEX
,
12269 NULL
, 0, NULL
, HFILL
}
12272 { &hf_smb2_previous_sesid
,
12273 { "Previous Session Id", "smb2.previous_sesid", FT_UINT64
, BASE_HEX
,
12274 NULL
, 0, NULL
, HFILL
}
12277 { &hf_smb2_chain_offset
,
12278 { "Chain Offset", "smb2.chain_offset", FT_UINT32
, BASE_HEX
,
12279 NULL
, 0, NULL
, HFILL
}
12282 { &hf_smb2_end_of_file
,
12283 { "End Of File", "smb2.eof", FT_UINT64
, BASE_DEC
,
12284 NULL
, 0, "SMB2 End Of File/File size", HFILL
}
12288 { "Number of Links", "smb2.nlinks", FT_UINT32
, BASE_DEC
,
12289 NULL
, 0, "Number of links to this object", HFILL
}
12292 { &hf_smb2_file_id
,
12293 { "File Id", "smb2.file_id", FT_UINT64
, BASE_HEX
,
12294 NULL
, 0, NULL
, HFILL
}
12297 { &hf_smb2_allocation_size
,
12298 { "Allocation Size", "smb2.allocation_size", FT_UINT64
, BASE_DEC
,
12299 NULL
, 0, NULL
, HFILL
}
12302 { &hf_smb2_max_response_size
,
12303 { "Max Response Size", "smb2.max_response_size", FT_UINT32
, BASE_DEC
,
12304 NULL
, 0, NULL
, HFILL
}
12307 { &hf_smb2_getinfo_input_size
,
12308 { "Getinfo Input Size", "smb2.getinfo_input_size", FT_UINT32
, BASE_DEC
,
12309 NULL
, 0, NULL
, HFILL
}
12312 { &hf_smb2_getinfo_input_offset
,
12313 { "Getinfo Input Offset", "smb2.getinfo_input_offset", FT_UINT16
, BASE_HEX
,
12314 NULL
, 0, NULL
, HFILL
}
12317 { &hf_smb2_getsetinfo_additional
,
12318 { "Additional Info", "smb2.getsetinfo_additional", FT_UINT32
, BASE_HEX
,
12319 NULL
, 0, NULL
, HFILL
}
12322 { &hf_smb2_getsetinfo_additionals
,
12323 { "Additional Info", "smb2.getsetinfo_additionals", FT_UINT32
, BASE_HEX
,
12324 NULL
, 0, NULL
, HFILL
}
12327 { &hf_smb2_getsetinfo_additional_owner
,
12328 { "Owner", "smb2.getsetinfo_additional_secinfo.owner", FT_BOOLEAN
, 32,
12329 TFS(&tfs_additional_owner
), OWNER_SECURITY_INFORMATION
, "Is owner security information being queried?", HFILL
}},
12331 { &hf_smb2_getsetinfo_additional_group
,
12332 { "Group", "smb2.getsetinfo_additional_secinfo.group", FT_BOOLEAN
, 32,
12333 TFS(&tfs_additional_group
), GROUP_SECURITY_INFORMATION
, "Is group security information being queried?", HFILL
}},
12335 { &hf_smb2_getsetinfo_additional_dacl
,
12336 { "DACL", "smb2.getsetinfo_additional_secinfo.dacl", FT_BOOLEAN
, 32,
12337 TFS(&tfs_additional_dacl
), DACL_SECURITY_INFORMATION
, "Is DACL security information being queried?", HFILL
}},
12339 { &hf_smb2_getsetinfo_additional_sacl
,
12340 { "SACL", "smb2.getsetinfo_additional_secinfo.sacl", FT_BOOLEAN
, 32,
12341 TFS(&tfs_additional_sacl
), SACL_SECURITY_INFORMATION
, "Is SACL security information being queried?", HFILL
}},
12343 { &hf_smb2_getsetinfo_additional_label
,
12344 { "Integrity label", "smb2.getsetinfo_additional_secinfo.label", FT_BOOLEAN
, 32,
12345 TFS(&tfs_additional_label
), LABEL_SECURITY_INFORMATION
, "Is integrity label security information being queried?", HFILL
}},
12347 { &hf_smb2_getsetinfo_additional_attribute
,
12348 { "Resource attribute", "smb2.getsetinfo_additional_secinfo.attribute", FT_BOOLEAN
, 32,
12349 TFS(&tfs_additional_attribute
), ATTRIBUTE_SECURITY_INFORMATION
, "Is resource attribute security information being queried?", HFILL
}},
12351 { &hf_smb2_getsetinfo_additional_scope
,
12352 { "Central access policy", "smb2.getsetinfo_additional_secinfo.scope", FT_BOOLEAN
, 32,
12353 TFS(&tfs_additional_scope
), SCOPE_SECURITY_INFORMATION
, "Is central access policy security information being queried?", HFILL
}},
12355 { &hf_smb2_getsetinfo_additional_backup
,
12356 { "Backup operation", "smb2.getsetinfo_additional_secinfo.backup", FT_BOOLEAN
, 32,
12357 TFS(&tfs_additional_backup
), BACKUP_SECURITY_INFORMATION
, "Is backup operation security information being queried?", HFILL
}},
12359 { &hf_smb2_getinfo_flags
,
12360 { "Flags", "smb2.getinfo_flags", FT_UINT32
, BASE_HEX
,
12361 NULL
, 0, NULL
, HFILL
}
12364 { &hf_smb2_setinfo_size
,
12365 { "Setinfo Size", "smb2.setinfo_size", FT_UINT32
, BASE_DEC
,
12366 NULL
, 0, NULL
, HFILL
}
12369 { &hf_smb2_setinfo_offset
,
12370 { "Setinfo Offset", "smb2.setinfo_offset", FT_UINT16
, BASE_HEX
,
12371 NULL
, 0, NULL
, HFILL
}
12374 { &hf_smb2_setinfo_reserved
,
12375 { "Reserved", "smb2.setinfo_reserved", FT_UINT16
, BASE_DEC
,
12376 NULL
, 0, NULL
, HFILL
}
12379 { &hf_smb2_max_ioctl_out_size
,
12380 { "Max Ioctl Out Size", "smb2.max_ioctl_out_size", FT_UINT32
, BASE_DEC
,
12381 NULL
, 0, NULL
, HFILL
}
12384 { &hf_smb2_max_ioctl_in_size
,
12385 { "Max Ioctl In Size", "smb2.max_ioctl_in_size", FT_UINT32
, BASE_DEC
,
12386 NULL
, 0, NULL
, HFILL
}
12389 { &hf_smb2_required_buffer_size
,
12390 { "Required Buffer Size", "smb2.required_size", FT_UINT32
, BASE_DEC
,
12391 NULL
, 0, NULL
, HFILL
}
12394 { &hf_smb2_header_reserved
,
12395 { "Reserved", "smb2.header_reserved", FT_UINT32
, BASE_HEX
,
12396 NULL
, 0, NULL
, HFILL
}
12400 /* SMB2 header flags */
12402 { "Flags", "smb2.flags", FT_UINT32
, BASE_HEX
,
12403 NULL
, 0, "SMB2 flags", HFILL
}
12406 { &hf_smb2_flags_response
,
12407 { "Response", "smb2.flags.response", FT_BOOLEAN
, 32,
12408 TFS(&tfs_flags_response
), SMB2_FLAGS_RESPONSE
, "Whether this is an SMB2 Request or Response", HFILL
}
12411 { &hf_smb2_flags_async_cmd
,
12412 { "Async command", "smb2.flags.async", FT_BOOLEAN
, 32,
12413 TFS(&tfs_flags_async_cmd
), SMB2_FLAGS_ASYNC_CMD
, NULL
, HFILL
}
12416 { &hf_smb2_flags_dfs_op
,
12417 { "DFS operation", "smb2.flags.dfs", FT_BOOLEAN
, 32,
12418 TFS(&tfs_flags_dfs_op
), SMB2_FLAGS_DFS_OP
, NULL
, HFILL
}
12421 { &hf_smb2_flags_chained
,
12422 { "Chained", "smb2.flags.chained", FT_BOOLEAN
, 32,
12423 TFS(&tfs_flags_chained
), SMB2_FLAGS_CHAINED
, "Whether the pdu continues a chain or not", HFILL
}
12425 { &hf_smb2_flags_signature
,
12426 { "Signing", "smb2.flags.signature", FT_BOOLEAN
, 32,
12427 TFS(&tfs_flags_signature
), SMB2_FLAGS_SIGNATURE
, "Whether the pdu is signed or not", HFILL
}
12430 { &hf_smb2_flags_replay_operation
,
12431 { "Replay operation", "smb2.flags.replay", FT_BOOLEAN
, 32,
12432 TFS(&tfs_flags_replay_operation
), SMB2_FLAGS_REPLAY_OPERATION
, "Whether this is a replay operation", HFILL
}
12435 { &hf_smb2_flags_priority_mask
,
12436 { "Priority", "smb2.flags.priority_mask", FT_BOOLEAN
, 32,
12437 TFS(&tfs_flags_priority_mask
), SMB2_FLAGS_PRIORITY_MASK
, "Priority Mask", HFILL
}
12441 { "Tree", "smb2.tree", FT_STRING
, BASE_NONE
,
12442 NULL
, 0, "Name of the Tree/Share", HFILL
}
12445 { &hf_smb2_filename
,
12446 { "Filename", "smb2.filename", FT_STRING
, BASE_NONE
,
12447 NULL
, 0, NULL
, HFILL
}
12450 { &hf_smb2_filename_len
,
12451 { "Filename Length", "smb2.filename.len", FT_UINT32
, BASE_DEC
,
12452 NULL
, 0, NULL
, HFILL
}
12455 { &hf_smb2_file_id_hash
,
12456 { "FileId Hash", "smb2.fid_hash", FT_UINT32
, BASE_HEX
,
12457 NULL
, 0, "Used to find all instances of a File ID", HFILL
}
12460 { &hf_smb2_num_matched
,
12461 { "Matched pattern", "smb2.num_matched", FT_UINT16
, BASE_DEC
,
12462 NULL
, 0, "Number of files matching the find pattern", HFILL
}
12466 { &hf_smb2_replace_if
,
12467 { "Replace If", "smb2.rename.replace_if", FT_BOOLEAN
, 8,
12468 TFS(&tfs_replace_if_exists
), 0xFF, "Whether to replace if the target exists", HFILL
}
12471 { &hf_smb2_data_offset
,
12472 { "Data Offset", "smb2.data_offset", FT_UINT16
, BASE_HEX
,
12473 NULL
, 0, "Offset to data", HFILL
}
12476 { &hf_smb2_find_info_level
,
12477 { "Info Level", "smb2.find.infolevel", FT_UINT32
, BASE_DEC
,
12478 VALS(smb2_find_info_levels
), 0, "Find_Info Infolevel", HFILL
}
12480 { &hf_smb2_find_flags
,
12481 { "Find Flags", "smb2.find.flags", FT_UINT8
, BASE_HEX
,
12482 NULL
, 0, NULL
, HFILL
}
12485 { &hf_smb2_find_pattern
,
12486 { "Search Pattern", "smb2.find.pattern", FT_STRING
, BASE_NONE
,
12487 NULL
, 0, "Find pattern", HFILL
}
12490 { &hf_smb2_find_info_blob
,
12491 { "Info", "smb2.find.info_blob", FT_BYTES
, BASE_NONE
,
12492 NULL
, 0, "Find Info", HFILL
}
12495 { &hf_smb2_ea_size
,
12496 { "EA Size", "smb2.ea_size", FT_UINT32
, BASE_DEC
,
12497 NULL
, 0, "Size of EA data", HFILL
}
12500 { &hf_smb2_position_information
,
12501 { "Position Information", "smb2.position_info", FT_UINT64
, BASE_DEC
,
12502 NULL
, 0, "Current file position", HFILL
}
12505 { &hf_smb2_mode_information
,
12506 { "Mode Information", "smb2.mode_info", FT_UINT32
, BASE_HEX
,
12507 NULL
, 0, "File mode information", HFILL
}
12510 { &hf_smb2_mode_file_write_through
,
12511 { "FILE_WRITE_THROUGH", "smb2.mode.file_write_through", FT_UINT32
, BASE_HEX
,
12512 NULL
, 0x02, NULL
, HFILL
}
12515 { &hf_smb2_mode_file_sequential_only
,
12516 { "FILE_SEQUENTIAL_ONLY", "smb2.mode.file_sequential_only", FT_UINT32
, BASE_HEX
,
12517 NULL
, 0x04, NULL
, HFILL
}
12520 { &hf_smb2_mode_file_no_intermediate_buffering
,
12521 { "FILE_NO_INTERMEDIATE_BUFFERING", "smb2.mode.file_no_intermediate_buffering", FT_UINT32
, BASE_HEX
,
12522 NULL
, 0x08, NULL
, HFILL
}
12525 { &hf_smb2_mode_file_synchronous_io_alert
,
12526 { "FILE_SYNCHRONOUS_IO_ALERT", "smb2.mode.file_synchronous_io_alert", FT_UINT32
, BASE_HEX
,
12527 NULL
, 0x10, NULL
, HFILL
}
12530 { &hf_smb2_mode_file_synchronous_io_nonalert
,
12531 { "FILE_SYNCHRONOUS_IO_NONALERT", "smb2.mode.file_synchronous_io_nonalert", FT_UINT32
, BASE_HEX
,
12532 NULL
, 0x20, NULL
, HFILL
}
12535 { &hf_smb2_mode_file_delete_on_close
,
12536 { "FILE_DELETE_ON_CLOSE", "smb2.mode.file_delete_on_close", FT_UINT32
, BASE_HEX
,
12537 NULL
, 0x1000, NULL
, HFILL
}
12540 { &hf_smb2_alignment_information
,
12541 { "Alignment Information", "smb2.alignment_info", FT_UINT32
, BASE_HEX
,
12542 VALS(smb2_alignment_vals
), 0, "File alignment", HFILL
}
12546 { "Class", "smb2.class", FT_UINT8
, BASE_HEX
,
12547 VALS(smb2_class_vals
), 0, "Info class", HFILL
}
12550 { &hf_smb2_infolevel
,
12551 { "InfoLevel", "smb2.infolevel", FT_UINT8
, BASE_HEX
,
12552 NULL
, 0, NULL
, HFILL
}
12555 { &hf_smb2_infolevel_file_info
,
12556 { "InfoLevel", "smb2.file_info.infolevel", FT_UINT8
, BASE_HEX
| BASE_EXT_STRING
,
12557 &smb2_file_info_levels_ext
, 0, "File_Info Infolevel", HFILL
}
12560 { &hf_smb2_infolevel_fs_info
,
12561 { "InfoLevel", "smb2.fs_info.infolevel", FT_UINT8
, BASE_HEX
| BASE_EXT_STRING
,
12562 &smb2_fs_info_levels_ext
, 0, "Fs_Info Infolevel", HFILL
}
12565 { &hf_smb2_infolevel_sec_info
,
12566 { "InfoLevel", "smb2.sec_info.infolevel", FT_UINT8
, BASE_HEX
| BASE_EXT_STRING
,
12567 &smb2_sec_info_levels_ext
, 0, "Sec_Info Infolevel", HFILL
}
12570 { &hf_smb2_write_length
,
12571 { "Write Length", "smb2.write_length", FT_UINT32
, BASE_DEC
,
12572 NULL
, 0, "Amount of data to write", HFILL
}
12575 { &hf_smb2_read_blob
,
12576 { "Info", "smb2.read.blob", FT_BYTES
, BASE_NONE
,
12577 NULL
, 0, "Read Blob", HFILL
}
12580 { &hf_smb2_read_length
,
12581 { "Read Length", "smb2.read_length", FT_UINT32
, BASE_DEC
,
12582 NULL
, 0, "Amount of data to read", HFILL
}
12585 { &hf_smb2_read_remaining
,
12586 { "Read Remaining", "smb2.read_remaining", FT_UINT32
, BASE_DEC
,
12587 NULL
, 0, NULL
, HFILL
}
12590 { &hf_smb2_read_padding
,
12591 { "Padding", "smb2.read_padding", FT_UINT8
, BASE_HEX
,
12592 NULL
, 0, NULL
, HFILL
}
12595 { &hf_smb2_read_flags
,
12596 { "Flags", "smb2.read_flags", FT_UINT8
, BASE_HEX
,
12597 NULL
, 0, NULL
, HFILL
}
12600 { &hf_smb2_read_flags_unbuffered
,
12601 { "Unbuffered", "smb2.read_flags.unbuffered", FT_BOOLEAN
, 8,
12602 TFS(&tfs_read_unbuffered
), SMB2_READFLAG_READ_UNBUFFERED
, "If client requests unbuffered read", HFILL
}
12605 { &hf_smb2_read_flags_compressed
,
12606 { "Compressed", "smb2.read_flags.compressed", FT_BOOLEAN
, 8,
12607 TFS(&tfs_read_compressed
), SMB2_READFLAG_READ_COMPRESSED
, "If client requests compressed response", HFILL
}
12610 { &hf_smb2_create_flags
,
12611 { "Create Flags", "smb2.create_flags", FT_UINT64
, BASE_HEX
,
12612 NULL
, 0, NULL
, HFILL
}
12615 { &hf_smb2_file_offset
,
12616 { "File Offset", "smb2.file_offset", FT_UINT64
, BASE_DEC
,
12617 NULL
, 0, NULL
, HFILL
}
12620 { &hf_smb2_fsctl_range_offset
,
12621 { "File Offset", "smb2.fsctl.range_offset", FT_UINT64
, BASE_DEC
,
12622 NULL
, 0, NULL
, HFILL
}
12625 { &hf_smb2_fsctl_range_length
,
12626 { "Length", "smb2.fsctl.range_length", FT_UINT64
, BASE_DEC
,
12627 NULL
, 0, NULL
, HFILL
}
12630 { &hf_smb2_qfr_length
,
12631 { "Length", "smb2.qfr_length", FT_UINT64
, BASE_DEC
,
12632 NULL
, 0, NULL
, HFILL
}
12635 { &hf_smb2_qfr_usage
,
12636 { "Desired Usage", "smb2.qfr_usage", FT_UINT32
, BASE_HEX
,
12637 VALS(file_region_usage_vals
), 0, NULL
, HFILL
}
12640 { &hf_smb2_qfr_flags
,
12641 { "Flags", "smb2.qfr_flags", FT_UINT32
, BASE_HEX
,
12642 NULL
, 0, NULL
, HFILL
}
12645 { &hf_smb2_qfr_total_region_entry_count
,
12646 { "Total Region Entry Count", "smb2.qfr_tot_region_entry_count", FT_UINT32
, BASE_HEX
,
12647 NULL
, 0, NULL
, HFILL
}
12650 { &hf_smb2_qfr_region_entry_count
,
12651 { "Region Entry Count", "smb2.qfr_region_entry_count", FT_UINT32
, BASE_HEX
,
12652 NULL
, 0, NULL
, HFILL
}
12655 { &hf_smb2_security_blob
,
12656 { "Security Blob", "smb2.security_blob", FT_BYTES
, BASE_NONE
,
12657 NULL
, 0, NULL
, HFILL
}
12660 { &hf_smb2_ioctl_out_data
,
12661 { "Out Data", "smb2.ioctl.out", FT_NONE
, BASE_NONE
,
12662 NULL
, 0, "Ioctl Out", HFILL
}
12665 { &hf_smb2_ioctl_in_data
,
12666 { "In Data", "smb2.ioctl.in", FT_NONE
, BASE_NONE
,
12667 NULL
, 0, "Ioctl In", HFILL
}
12670 { &hf_smb2_server_guid
,
12671 { "Server Guid", "smb2.server_guid", FT_GUID
, BASE_NONE
,
12672 NULL
, 0, NULL
, HFILL
}
12675 { &hf_smb2_client_guid
,
12676 { "Client Guid", "smb2.client_guid", FT_GUID
, BASE_NONE
,
12677 NULL
, 0, NULL
, HFILL
}
12680 { &hf_smb2_object_id
,
12681 { "ObjectId", "smb2.object_id", FT_GUID
, BASE_NONE
,
12682 NULL
, 0, "ObjectID for this FID", HFILL
}
12685 { &hf_smb2_birth_volume_id
,
12686 { "BirthVolumeId", "smb2.birth_volume_id", FT_GUID
, BASE_NONE
,
12687 NULL
, 0, "ObjectID for the volume where this FID was originally created", HFILL
}
12690 { &hf_smb2_birth_object_id
,
12691 { "BirthObjectId", "smb2.birth_object_id", FT_GUID
, BASE_NONE
,
12692 NULL
, 0, "ObjectID for this FID when it was originally created", HFILL
}
12695 { &hf_smb2_domain_id
,
12696 { "DomainId", "smb2.domain_id", FT_GUID
, BASE_NONE
,
12697 NULL
, 0, NULL
, HFILL
}
12700 { &hf_smb2_create_timestamp
,
12701 { "Create", "smb2.create.time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
12702 NULL
, 0, "Time when this object was created", HFILL
}
12706 { "File Id", "smb2.fid", FT_GUID
, BASE_NONE
,
12707 NULL
, 0, "SMB2 File Id", HFILL
}
12710 { &hf_smb2_write_data
,
12711 { "Write Data", "smb2.write_data", FT_BYTES
, BASE_NONE
,
12712 NULL
, 0, "SMB2 Data to be written", HFILL
}
12715 { &hf_smb2_write_flags
,
12716 { "Write Flags", "smb2.write.flags", FT_UINT32
, BASE_HEX
,
12717 NULL
, 0, NULL
, HFILL
}
12720 { &hf_smb2_write_flags_write_through
,
12721 { "Write through", "smb2.write.flags.write_through", FT_BOOLEAN
, 32,
12722 TFS(&tfs_write_through
), SMB2_WRITE_FLAG_WRITE_THROUGH
, "If the client requests WRITE_THROUGH", HFILL
}
12725 { &hf_smb2_write_flags_write_unbuffered
,
12726 { "Unbuffered", "smb2.write.flags.unbuffered", FT_BOOLEAN
, 32,
12727 TFS(&tfs_write_unbuffered
), SMB2_WRITE_FLAG_WRITE_UNBUFFERED
, "If client requests UNBUFFERED read", HFILL
}
12730 { &hf_smb2_write_count
,
12731 { "Write Count", "smb2.write.count", FT_UINT32
, BASE_DEC
,
12732 NULL
, 0, NULL
, HFILL
}
12735 { &hf_smb2_write_remaining
,
12736 { "Write Remaining", "smb2.write.remaining", FT_UINT32
, BASE_DEC
,
12737 NULL
, 0, NULL
, HFILL
}
12740 { &hf_smb2_read_data
,
12741 { "Read Data", "smb2.read_data", FT_BYTES
, BASE_NONE
,
12742 NULL
, 0, "SMB2 Data that is read", HFILL
}
12745 { &hf_smb2_last_access_timestamp
,
12746 { "Last Access", "smb2.last_access.time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
12747 NULL
, 0, "Time when this object was last accessed", HFILL
}
12750 { &hf_smb2_last_write_timestamp
,
12751 { "Last Write", "smb2.last_write.time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
12752 NULL
, 0, "Time when this object was last written to", HFILL
}
12755 { &hf_smb2_last_change_timestamp
,
12756 { "Last Change", "smb2.last_change.time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
12757 NULL
, 0, "Time when this object was last changed", HFILL
}
12760 { &hf_smb2_file_all_info
,
12761 { "SMB2_FILE_ALL_INFO", "smb2.file_all_info", FT_NONE
, BASE_NONE
,
12762 NULL
, 0, NULL
, HFILL
}
12765 { &hf_smb2_file_allocation_info
,
12766 { "SMB2_FILE_ALLOCATION_INFO", "smb2.file_allocation_info", FT_NONE
, BASE_NONE
,
12767 NULL
, 0, NULL
, HFILL
}
12770 { &hf_smb2_file_endoffile_info
,
12771 { "SMB2_FILE_ENDOFFILE_INFO", "smb2.file_endoffile_info", FT_NONE
, BASE_NONE
,
12772 NULL
, 0, NULL
, HFILL
}
12775 { &hf_smb2_good_signature
,
12776 { "Good signature", "smb2.good_signature", FT_NONE
, BASE_NONE
,
12777 NULL
, 0, NULL
, HFILL
}
12780 { &hf_smb2_bad_signature
,
12781 { "Bad signature. Should be", "smb2.bad_signature", FT_NONE
, BASE_NONE
,
12782 NULL
, 0, NULL
, HFILL
}
12785 { &hf_smb2_file_alternate_name_info
,
12786 { "SMB2_FILE_ALTERNATE_NAME_INFO", "smb2.file_alternate_name_info", FT_NONE
, BASE_NONE
,
12787 NULL
, 0, NULL
, HFILL
}
12790 { &hf_smb2_file_normalized_name_info
,
12791 { "SMB2_FILE_NORMALIZED_NAME_INFO", "smb2.file_normalized_name_info", FT_NONE
, BASE_NONE
,
12792 NULL
, 0, NULL
, HFILL
}
12795 { &hf_smb2_file_stream_info
,
12796 { "SMB2_FILE_STREAM_INFO", "smb2.file_stream_info", FT_NONE
, BASE_NONE
,
12797 NULL
, 0, NULL
, HFILL
}
12800 { &hf_smb2_file_pipe_info
,
12801 { "SMB2_FILE_PIPE_INFO", "smb2.file_pipe_info", FT_NONE
, BASE_NONE
,
12802 NULL
, 0, NULL
, HFILL
}
12805 { &hf_smb2_file_compression_info
,
12806 { "SMB2_FILE_COMPRESSION_INFO", "smb2.file_compression_info", FT_NONE
, BASE_NONE
,
12807 NULL
, 0, NULL
, HFILL
}
12810 { &hf_smb2_file_basic_info
,
12811 { "SMB2_FILE_BASIC_INFO", "smb2.file_basic_info", FT_NONE
, BASE_NONE
,
12812 NULL
, 0, NULL
, HFILL
}
12815 { &hf_smb2_file_standard_info
,
12816 { "SMB2_FILE_STANDARD_INFO", "smb2.file_standard_info", FT_NONE
, BASE_NONE
,
12817 NULL
, 0, NULL
, HFILL
}
12820 { &hf_smb2_file_internal_info
,
12821 { "SMB2_FILE_INTERNAL_INFO", "smb2.file_internal_info", FT_NONE
, BASE_NONE
,
12822 NULL
, 0, NULL
, HFILL
}
12825 { &hf_smb2_file_mode_info
,
12826 { "SMB2_FILE_MODE_INFO", "smb2.file_mode_info", FT_NONE
, BASE_NONE
,
12827 NULL
, 0, NULL
, HFILL
}
12830 { &hf_smb2_file_alignment_info
,
12831 { "SMB2_FILE_ALIGNMENT_INFO", "smb2.file_alignment_info", FT_NONE
, BASE_NONE
,
12832 NULL
, 0, NULL
, HFILL
}
12835 { &hf_smb2_file_position_info
,
12836 { "SMB2_FILE_POSITION_INFO", "smb2.file_position_info", FT_NONE
, BASE_NONE
,
12837 NULL
, 0, NULL
, HFILL
}
12840 { &hf_smb2_file_access_info
,
12841 { "SMB2_FILE_ACCESS_INFO", "smb2.file_access_info", FT_NONE
, BASE_NONE
,
12842 NULL
, 0, NULL
, HFILL
}
12845 { &hf_smb2_file_ea_info
,
12846 { "SMB2_FILE_EA_INFO", "smb2.file_ea_info", FT_NONE
, BASE_NONE
,
12847 NULL
, 0, NULL
, HFILL
}
12850 { &hf_smb2_file_network_open_info
,
12851 { "SMB2_FILE_NETWORK_OPEN_INFO", "smb2.file_network_open_info", FT_NONE
, BASE_NONE
,
12852 NULL
, 0, NULL
, HFILL
}
12855 { &hf_smb2_file_attribute_tag_info
,
12856 { "SMB2_FILE_ATTRIBUTE_TAG_INFO", "smb2.file_attribute_tag_info", FT_NONE
, BASE_NONE
,
12857 NULL
, 0, NULL
, HFILL
}
12860 { &hf_smb2_file_disposition_info
,
12861 { "SMB2_FILE_DISPOSITION_INFO", "smb2.file_disposition_info", FT_NONE
, BASE_NONE
,
12862 NULL
, 0, NULL
, HFILL
}
12865 { &hf_smb2_file_full_ea_info
,
12866 { "SMB2_FILE_FULL_EA_INFO", "smb2.file_full_ea_info", FT_NONE
, BASE_NONE
,
12867 NULL
, 0, NULL
, HFILL
}
12870 { &hf_smb2_file_rename_info
,
12871 { "SMB2_FILE_RENAME_INFO", "smb2.file_rename_info", FT_NONE
, BASE_NONE
,
12872 NULL
, 0, NULL
, HFILL
}
12875 { &hf_smb2_file_link_info
,
12876 { "SMB2_FILE_LINK_INFO", "smb2.file_link_info", FT_NONE
, BASE_NONE
,
12877 NULL
, 0, NULL
, HFILL
}
12880 { &hf_smb2_fs_info_01
,
12881 { "FileFsVolumeInformation", "smb2.fs_volume_info", FT_NONE
, BASE_NONE
,
12882 NULL
, 0, NULL
, HFILL
}
12885 { &hf_smb2_fs_info_03
,
12886 { "FileFsSizeInformation", "smb2.fs_size_info", FT_NONE
, BASE_NONE
,
12887 NULL
, 0, NULL
, HFILL
}
12890 { &hf_smb2_fs_info_04
,
12891 { "FileFsDeviceInformation", "smb2.fs_device_info", FT_NONE
, BASE_NONE
,
12892 NULL
, 0, NULL
, HFILL
}
12895 { &hf_smb2_fs_info_05
,
12896 { "FileFsAttributeInformation", "smb2.fs_attribute_info", FT_NONE
, BASE_NONE
,
12897 NULL
, 0, NULL
, HFILL
}
12900 { &hf_smb2_fs_info_06
,
12901 { "FileFsControlInformation", "smb2.fs_control_info", FT_NONE
, BASE_NONE
,
12902 NULL
, 0, NULL
, HFILL
}
12905 { &hf_smb2_fs_info_07
,
12906 { "FileFsFullSizeInformation", "smb2.fs_full_size_info", FT_NONE
, BASE_NONE
,
12907 NULL
, 0, NULL
, HFILL
}
12910 { &hf_smb2_fs_objectid_info
,
12911 { "FileFsObjectIdInformation", "smb2.fs_objectid_info", FT_NONE
, BASE_NONE
,
12912 NULL
, 0, NULL
, HFILL
}
12915 { &hf_smb2_fs_posix_info
,
12916 { "FileFsPOSIXInformation", "smb2.fs_posix_info", FT_NONE
, BASE_NONE
,
12917 NULL
, 0, NULL
, HFILL
}
12920 { &hf_smb2_fs_posix_optimal_transfer_size
,
12921 { "Optimal Transfer Size", "smb2.fs_posix_optimal_transfer_size", FT_UINT32
, BASE_DEC
,
12922 NULL
, 0, NULL
, HFILL
}
12925 { &hf_smb2_fs_posix_block_size
,
12926 { "Block Size", "smb2.fs_posix_block_size", FT_UINT32
, BASE_DEC
,
12927 NULL
, 0, NULL
, HFILL
}
12930 { &hf_smb2_fs_posix_total_blocks
,
12931 { "Total Blocks", "smb2.fs_posix_total_blocks", FT_UINT64
, BASE_DEC
,
12932 NULL
, 0, NULL
, HFILL
}
12935 { &hf_smb2_fs_posix_blocks_available
,
12936 { "Blocks Available", "smb2.fs_posix_blocks_available", FT_UINT64
, BASE_DEC
,
12937 NULL
, 0, NULL
, HFILL
}
12940 { &hf_smb2_fs_posix_user_blocks_available
,
12941 { "User Blocks Available", "smb2.fs_posix_user_blocks_available", FT_UINT64
, BASE_DEC
,
12942 NULL
, 0, NULL
, HFILL
}
12945 { &hf_smb2_fs_posix_total_file_nodes
,
12946 { "Total File Nodes", "smb2.fs_posix_total_file_nodes", FT_UINT64
, BASE_DEC
,
12947 NULL
, 0, NULL
, HFILL
}
12950 { &hf_smb2_fs_posix_free_file_nodes
,
12951 { "Free File Nodes", "smb2.fs_posix_free_file_nodes", FT_UINT64
, BASE_DEC
,
12952 NULL
, 0, NULL
, HFILL
}
12955 { &hf_smb2_fs_posix_fs_identifier
,
12956 { "Fs-Identifier", "smb2.fs_posix_fs_identifier", FT_UINT64
, BASE_HEX
,
12957 NULL
, 0, NULL
, HFILL
}
12960 { &hf_smb2_sec_info_00
,
12961 { "SMB2_SEC_INFO_00", "smb2.sec_info_00", FT_NONE
, BASE_NONE
,
12962 NULL
, 0, NULL
, HFILL
}
12965 { &hf_smb2_quota_info
,
12966 { "SMB2_QUOTA_INFO", "smb2.quota_info", FT_NONE
, BASE_NONE
,
12967 NULL
, 0, NULL
, HFILL
}
12970 { &hf_smb2_query_quota_info
,
12971 { "SMB2_QUERY_QUOTA_INFO", "smb2.query_quota_info", FT_NONE
, BASE_NONE
,
12972 NULL
, 0, NULL
, HFILL
}
12975 { &hf_smb2_qq_single
,
12976 { "ReturnSingle", "smb2.query_quota_info.single", FT_BOOLEAN
, 8,
12977 NULL
, 0xff, NULL
, HFILL
}
12980 { &hf_smb2_qq_restart
,
12981 { "RestartScan", "smb2.query_quota_info.restart", FT_BOOLEAN
, 8,
12982 NULL
, 0xff, NULL
, HFILL
}
12985 { &hf_smb2_qq_sidlist_len
,
12986 { "SidListLength", "smb2.query_quota_info.sidlistlen", FT_UINT32
, BASE_DEC
,
12987 NULL
, 0, NULL
, HFILL
}
12990 { &hf_smb2_qq_start_sid_len
,
12991 { "StartSidLength", "smb2.query_quota_info.startsidlen", FT_UINT32
, BASE_DEC
,
12992 NULL
, 0, NULL
, HFILL
}
12995 { &hf_smb2_qq_start_sid_offset
,
12996 { "StartSidOffset", "smb2.query_quota_info.startsidoffset", FT_UINT32
, BASE_DEC
,
12997 NULL
, 0, NULL
, HFILL
}
13000 { &hf_smb2_disposition_delete_on_close
,
13001 { "Delete on close", "smb2.disposition.delete_on_close", FT_BOOLEAN
, 8,
13002 TFS(&tfs_disposition_delete_on_close
), 0x01, NULL
, HFILL
}
13006 { &hf_smb2_create_disposition
,
13007 { "Disposition", "smb2.create.disposition", FT_UINT32
, BASE_DEC
,
13008 VALS(create_disposition_vals
), 0, "Create disposition, what to do if the file does/does not exist", HFILL
}
13011 { &hf_smb2_create_action
,
13012 { "Create Action", "smb2.create.action", FT_UINT32
, BASE_DEC
,
13013 VALS(oa_open_vals
), 0, NULL
, HFILL
}
13016 { &hf_smb2_create_rep_flags
,
13017 { "Response Flags", "smb2.create.rep_flags", FT_UINT8
, BASE_HEX
,
13018 NULL
, 0, NULL
, HFILL
}
13021 { &hf_smb2_create_rep_flags_reparse_point
,
13022 { "ReparsePoint", "smb2.create.rep_flags.reparse_point", FT_BOOLEAN
, 8,
13023 NULL
, SMB2_CREATE_REP_FLAGS_REPARSE_POINT
, NULL
, HFILL
}
13026 { &hf_smb2_extrainfo
,
13027 { "ExtraInfo", "smb2.create.extrainfo", FT_NONE
, BASE_NONE
,
13028 NULL
, 0, "Create ExtraInfo", HFILL
}
13031 { &hf_smb2_create_chain_offset
,
13032 { "Chain Offset", "smb2.create.chain_offset", FT_UINT32
, BASE_HEX
,
13033 NULL
, 0, "Offset to next entry in chain or 0", HFILL
}
13036 { &hf_smb2_create_chain_data
,
13037 { "Data", "smb2.create.chain_data", FT_NONE
, BASE_NONE
,
13038 NULL
, 0, "Chain Data", HFILL
}
13041 { &hf_smb2_FILE_OBJECTID_BUFFER
,
13042 { "FILE_OBJECTID_BUFFER", "smb2.FILE_OBJECTID_BUFFER", FT_NONE
, BASE_NONE
,
13043 NULL
, 0, NULL
, HFILL
}
13046 { &hf_smb2_lease_key
,
13047 { "Lease Key", "smb2.lease.lease_key", FT_GUID
, BASE_NONE
,
13048 NULL
, 0, NULL
, HFILL
}
13051 { &hf_smb2_lease_state
,
13052 { "Lease State", "smb2.lease.lease_state", FT_UINT32
, BASE_HEX
,
13053 NULL
, 0, NULL
, HFILL
}
13056 { &hf_smb2_lease_state_read_caching
,
13057 { "Read Caching", "smb2.lease.lease_state.read_caching", FT_BOOLEAN
, 32,
13058 NULL
, SMB2_LEASE_STATE_READ_CACHING
, NULL
, HFILL
}
13061 { &hf_smb2_lease_state_handle_caching
,
13062 { "Handle Caching", "smb2.lease.lease_state.handle_caching", FT_BOOLEAN
, 32,
13063 NULL
, SMB2_LEASE_STATE_HANDLE_CACHING
, NULL
, HFILL
}
13066 { &hf_smb2_lease_state_write_caching
,
13067 { "Write Caching", "smb2.lease.lease_state.write_caching", FT_BOOLEAN
, 32,
13068 NULL
, SMB2_LEASE_STATE_WRITE_CACHING
, NULL
, HFILL
}
13071 { &hf_smb2_lease_flags
,
13072 { "Lease Flags", "smb2.lease.lease_flags", FT_UINT32
, BASE_HEX
,
13073 NULL
, 0, NULL
, HFILL
}
13076 { &hf_smb2_lease_flags_break_ack_required
,
13077 { "Break Ack Required", "smb2.lease.lease_state.break_ack_required", FT_BOOLEAN
, 32,
13078 NULL
, SMB2_LEASE_FLAGS_BREAK_ACK_REQUIRED
, NULL
, HFILL
}
13081 { &hf_smb2_lease_flags_break_in_progress
,
13082 { "Break In Progress", "smb2.lease.lease_state.break_in_progress", FT_BOOLEAN
, 32,
13083 NULL
, SMB2_LEASE_FLAGS_BREAK_IN_PROGRESS
, NULL
, HFILL
}
13086 { &hf_smb2_lease_flags_parent_lease_key_set
,
13087 { "Parent Lease Key Set", "smb2.lease.lease_state.parent_lease_key_set", FT_BOOLEAN
, 32,
13088 NULL
, SMB2_LEASE_FLAGS_PARENT_LEASE_KEY_SET
, NULL
, HFILL
}
13091 { &hf_smb2_lease_duration
,
13092 { "Lease Duration", "smb2.lease.lease_duration", FT_UINT64
, BASE_HEX
,
13093 NULL
, 0, NULL
, HFILL
}
13096 { &hf_smb2_parent_lease_key
,
13097 { "Parent Lease Key", "smb2.lease.parent_lease_key", FT_GUID
, BASE_NONE
,
13098 NULL
, 0, NULL
, HFILL
}
13101 { &hf_smb2_lease_epoch
,
13102 { "Lease Epoch", "smb2.lease.lease_oplock", FT_UINT16
, BASE_HEX
,
13103 NULL
, 0, NULL
, HFILL
}
13106 { &hf_smb2_lease_reserved
,
13107 { "Lease Reserved", "smb2.lease.lease_reserved", FT_UINT16
, BASE_HEX
,
13108 NULL
, 0, NULL
, HFILL
}
13111 { &hf_smb2_lease_break_reason
,
13112 { "Lease Break Reason", "smb2.lease.lease_break_reason", FT_UINT32
, BASE_HEX
,
13113 NULL
, 0, NULL
, HFILL
}
13116 { &hf_smb2_lease_access_mask_hint
,
13117 { "Access Mask Hint", "smb2.lease.access_mask_hint", FT_UINT32
, BASE_HEX
,
13118 NULL
, 0, NULL
, HFILL
}
13121 { &hf_smb2_lease_share_mask_hint
,
13122 { "Share Mask Hint", "smb2.lease.share_mask_hint", FT_UINT32
, BASE_HEX
,
13123 NULL
, 0, NULL
, HFILL
}
13126 { &hf_smb2_next_offset
,
13127 { "Next Offset", "smb2.next_offset", FT_UINT32
, BASE_DEC
,
13128 NULL
, 0, "Offset to next buffer or 0", HFILL
}
13131 { &hf_smb2_negotiate_context_type
,
13132 { "Type", "smb2.negotiate_context.type", FT_UINT16
, BASE_HEX
,
13133 VALS(smb2_negotiate_context_types
), 0, NULL
, HFILL
}
13136 { &hf_smb2_negotiate_context_data_length
,
13137 { "DataLength", "smb2.negotiate_context.data_length", FT_UINT16
, BASE_DEC
,
13138 NULL
, 0, NULL
, HFILL
}
13141 { &hf_smb2_negotiate_context_offset
,
13142 { "NegotiateContextOffset", "smb2.negotiate_context.offset", FT_UINT32
, BASE_HEX
,
13143 NULL
, 0, NULL
, HFILL
}
13146 { &hf_smb2_negotiate_context_reserved2
,
13147 { "Reserved2", "smb2.negotiate_context.reserved2", FT_UINT32
, BASE_HEX
,
13148 NULL
, 0, NULL
, HFILL
}
13151 { &hf_smb2_negotiate_context_count
,
13152 { "NegotiateContextCount", "smb2.negotiate_context.count", FT_UINT16
, BASE_DEC
,
13153 NULL
, 0, NULL
, HFILL
}
13156 { &hf_smb2_negotiate_context_reserved
,
13157 { "Reserved", "smb2.negotiate_context.reserved", FT_UINT16
, BASE_DEC
,
13158 NULL
, 0, NULL
, HFILL
}
13161 { &hf_smb2_hash_alg_count
,
13162 { "HashAlgorithmCount", "smb2.negotiate_context.hash_alg_count", FT_UINT16
, BASE_DEC
,
13163 NULL
, 0, NULL
, HFILL
}},
13165 { &hf_smb2_hash_algorithm
,
13166 { "HashAlgorithm", "smb2.negotiate_context.hash_algorithm", FT_UINT16
, BASE_HEX
,
13167 VALS(smb2_hash_algorithm_types
), 0, NULL
, HFILL
}},
13169 { &hf_smb2_salt_length
,
13170 { "SaltLength", "smb2.negotiate_context.salt_length", FT_UINT16
, BASE_DEC
,
13171 NULL
, 0, NULL
, HFILL
}},
13174 { "Salt", "smb2.negotiate_context.salt", FT_BYTES
, BASE_NONE
,
13175 NULL
, 0, NULL
, HFILL
}},
13177 { &hf_smb2_signing_alg_count
,
13178 { "SigningAlgorithmCount", "smb2.negotiate_context.signing_alg_count", FT_UINT16
, BASE_DEC
,
13179 NULL
, 0, NULL
, HFILL
}},
13181 { &hf_smb2_signing_alg_id
,
13182 { "SigningAlgorithmId", "smb2.negotiate_context.signing_id", FT_UINT16
, BASE_HEX
,
13183 VALS(smb2_signing_alg_types
), 0, NULL
, HFILL
}},
13185 { &hf_smb2_cipher_count
,
13186 { "CipherCount", "smb2.negotiate_context.cipher_count", FT_UINT16
, BASE_DEC
,
13187 NULL
, 0, NULL
, HFILL
}},
13189 { &hf_smb2_cipher_id
,
13190 { "CipherId", "smb2.negotiate_context.cipher_id", FT_UINT16
, BASE_HEX
,
13191 VALS(smb2_cipher_types
), 0, NULL
, HFILL
}},
13193 { &hf_smb2_posix_reserved
,
13194 { "POSIX Reserved", "smb2.negotiate_context.posix_reserved", FT_BYTES
, BASE_NONE
,
13195 NULL
, 0, NULL
, HFILL
}
13199 { "Device", "smb2.dev", FT_UINT32
, BASE_HEX
,
13200 NULL
, 0, NULL
, HFILL
}
13204 { "Inode", "smb2.inode", FT_UINT64
, BASE_HEX
,
13205 NULL
, 0, NULL
, HFILL
}
13208 { &hf_smb2_comp_alg_count
,
13209 { "CompressionAlgorithmCount", "smb2.negotiate_context.comp_alg_count", FT_UINT16
, BASE_DEC
,
13210 NULL
, 0, NULL
, HFILL
}},
13212 { &hf_smb2_comp_alg_id
,
13213 { "CompressionAlgorithmId", "smb2.negotiate_context.comp_alg_id", FT_UINT16
, BASE_HEX
,
13214 VALS(smb2_comp_alg_types
), 0, NULL
, HFILL
}},
13216 { &hf_smb2_comp_alg_flags
,
13217 { "Flags", "smb2.negotiate_context.comp_alg_flags", FT_UINT32
, BASE_HEX
,
13218 NULL
, 0, NULL
, HFILL
}
13221 { &hf_smb2_comp_alg_flags_chained
,
13222 { "Chained", "smb2.negotiate_context.comp_alg_flags.chained", FT_BOOLEAN
, 32,
13223 NULL
, SMB2_COMP_ALG_FLAGS_CHAINED
, "Chained compression is supported on this connection", HFILL
}
13226 { &hf_smb2_comp_alg_flags_reserved
,
13227 { "Reserved", "smb2.negotiate_context.comp_alg_flags.reserved", FT_UINT32
, BASE_HEX
,
13228 NULL
, 0xFFFFFFFE, "Must be zero", HFILL
}
13231 { &hf_smb2_netname_neg_id
,
13232 { "Netname", "smb2.negotiate_context.netname", FT_STRING
,
13233 BASE_NONE
, NULL
, 0x0, NULL
, HFILL
}
13236 { &hf_smb2_transport_ctx_flags
,
13237 { "Flags", "smb2.negotiate_context.transport_flags", FT_UINT32
, BASE_HEX
,
13238 VALS(smb2_transport_ctx_flags_vals
), 0, NULL
, HFILL
}
13241 { &hf_smb2_rdma_transform_count
,
13242 { "TransformCount", "smb2.negotiate_context.rdma_transform_count", FT_UINT16
, BASE_DEC
,
13243 NULL
, 0, NULL
, HFILL
}
13246 { &hf_smb2_rdma_transform_reserved1
,
13247 { "Reserved1", "smb2.negotiate_context.rdma_transform_reserved1", FT_UINT16
, BASE_HEX
,
13248 NULL
, 0, NULL
, HFILL
}
13251 { &hf_smb2_rdma_transform_reserved2
,
13252 { "Reserved2", "smb2.negotiate_context.rdma_transform_reserved2", FT_UINT32
, BASE_HEX
,
13253 NULL
, 0, NULL
, HFILL
}
13256 { &hf_smb2_rdma_transform_id
,
13257 { "RDMATransformId", "smb2.negotiate_context.rdma_transform_id", FT_UINT16
, BASE_HEX
,
13258 VALS(smb2_rdma_transform_types
), 0, NULL
, HFILL
}
13261 { &hf_smb2_current_time
,
13262 { "Current Time", "smb2.current_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
13263 NULL
, 0, "Current Time at server", HFILL
}
13266 { &hf_smb2_boot_time
,
13267 { "Boot Time", "smb2.boot_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
13268 NULL
, 0, "Boot Time at server", HFILL
}
13271 { &hf_smb2_ea_flags
,
13272 { "EA Flags", "smb2.ea.flags", FT_UINT8
, BASE_HEX
,
13273 VALS(file_full_ea_information_flags
), 0, NULL
, HFILL
}
13276 { &hf_smb2_ea_name_len
,
13277 { "EA Name Length", "smb2.ea.name_len", FT_UINT8
, BASE_DEC
,
13278 NULL
, 0, NULL
, HFILL
}
13281 { &hf_smb2_ea_data_len
,
13282 { "EA Data Length", "smb2.ea.data_len", FT_UINT16
, BASE_DEC
,
13283 NULL
, 0, NULL
, HFILL
}
13286 { &hf_smb2_delete_pending
,
13287 { "Delete Pending", "smb2.delete_pending", FT_UINT8
, BASE_DEC
,
13288 NULL
, 0, NULL
, HFILL
}
13291 { &hf_smb2_is_directory
,
13292 { "Is Directory", "smb2.is_directory", FT_UINT8
, BASE_DEC
,
13293 NULL
, 0, "Is this a directory?", HFILL
}
13297 { "Oplock", "smb2.create.oplock", FT_UINT8
, BASE_HEX
,
13298 VALS(oplock_vals
), 0, "Oplock type", HFILL
}
13301 { &hf_smb2_close_flags
,
13302 { "Close Flags", "smb2.close.flags", FT_UINT16
, BASE_HEX
,
13303 NULL
, 0, NULL
, HFILL
}
13306 { &hf_smb2_notify_flags
,
13307 { "Notify Flags", "smb2.notify.flags", FT_UINT16
, BASE_HEX
,
13308 NULL
, 0, NULL
, HFILL
}
13311 { &hf_smb2_buffer_code
,
13312 { "StructureSize", "smb2.buffer_code", FT_UINT16
, BASE_HEX
,
13313 NULL
, 0, NULL
, HFILL
}
13316 { &hf_smb2_buffer_code_len
,
13317 { "Fixed Part Length", "smb2.buffer_code.length", FT_UINT16
, BASE_DEC
,
13318 NULL
, 0xFFFE, "Length of fixed portion of PDU", HFILL
}
13321 { &hf_smb2_olb_length
,
13322 { "Blob Length", "smb2.olb.length", FT_UINT32
, BASE_DEC
,
13323 NULL
, 0, "Length of the buffer", HFILL
}
13326 { &hf_smb2_olb_offset
,
13327 { "Blob Offset", "smb2.olb.offset", FT_UINT32
, BASE_HEX
,
13328 NULL
, 0, "Offset to the buffer", HFILL
}
13331 { &hf_smb2_buffer_code_flags_dyn
,
13332 { "Dynamic Part", "smb2.buffer_code.dynamic", FT_BOOLEAN
, 16,
13333 NULL
, 0x0001, "Whether a dynamic length blob follows", HFILL
}
13336 { &hf_smb2_ea_data
,
13337 { "EA Data", "smb2.ea.data", FT_BYTES
, BASE_NONE
|BASE_SHOW_ASCII_PRINTABLE
,
13338 NULL
, 0, NULL
, HFILL
}
13341 { &hf_smb2_ea_name
,
13342 { "EA Name", "smb2.ea.name", FT_STRING
, BASE_NONE
,
13343 NULL
, 0, NULL
, HFILL
}
13346 { &hf_smb2_impersonation_level
,
13347 { "Impersonation level", "smb2.impersonation.level", FT_UINT32
, BASE_DEC
,
13348 VALS(impersonation_level_vals
), 0, NULL
, HFILL
}
13351 { &hf_smb2_ioctl_function
,
13352 { "Function", "smb2.ioctl.function", FT_UINT32
, BASE_HEX
| BASE_EXT_STRING
,
13353 &smb2_ioctl_vals_ext
, 0, "Ioctl function", HFILL
}
13356 { &hf_smb2_ioctl_function_device
,
13357 { "Device", "smb2.ioctl.function.device", FT_UINT32
, BASE_HEX
| BASE_EXT_STRING
,
13358 &smb2_ioctl_device_vals_ext
, 0xffff0000, "Device for Ioctl", HFILL
}
13361 { &hf_smb2_ioctl_function_access
,
13362 { "Access", "smb2.ioctl.function.access", FT_UINT32
, BASE_HEX
,
13363 VALS(smb2_ioctl_access_vals
), 0x0000c000, "Access for Ioctl", HFILL
}
13366 { &hf_smb2_ioctl_function_function
,
13367 { "Function", "smb2.ioctl.function.function", FT_UINT32
, BASE_HEX
,
13368 NULL
, 0x00003ffc, "Function for Ioctl", HFILL
}
13371 { &hf_smb2_ioctl_function_method
,
13372 { "Method", "smb2.ioctl.function.method", FT_UINT32
, BASE_HEX
,
13373 VALS(smb2_ioctl_method_vals
), 0x00000003, "Method for Ioctl", HFILL
}
13376 { &hf_smb2_fsctl_pipe_wait_timeout
,
13377 { "Timeout", "smb2.fsctl.wait.timeout", FT_INT64
, BASE_DEC
,
13378 NULL
, 0, "Wait timeout", HFILL
}
13381 { &hf_smb2_fsctl_pipe_wait_name
,
13382 { "Name", "smb2.fsctl.wait.name", FT_STRING
, BASE_NONE
,
13383 NULL
, 0, "Pipe name", HFILL
}
13386 { &hf_smb2_fsctl_odx_token_type
,
13387 { "TokenType", "smb2.fsctl.odx.token.type", FT_UINT32
, BASE_HEX
,
13388 NULL
, 0, NULL
, HFILL
}
13391 { &hf_smb2_fsctl_odx_token_idlen
,
13392 { "TokenIdLength", "smb2.fsctl.odx.token.idlen", FT_UINT16
, BASE_DEC
,
13393 NULL
, 0, NULL
, HFILL
}
13396 { &hf_smb2_fsctl_odx_token_idraw
,
13397 { "TokenId", "smb2.fsctl.odx.token.id", FT_BYTES
, BASE_NONE
,
13398 NULL
, 0, "Token ID (opaque)", HFILL
}
13401 { &hf_smb2_fsctl_odx_token_ttl
,
13402 { "TokenTimeToLive", "smb2.fsctl.odx.token_ttl", FT_UINT32
, BASE_DEC
,
13403 NULL
, 0, "TTL requested for the token (in milliseconds)", HFILL
}
13406 { &hf_smb2_fsctl_odx_size
,
13407 { "Size", "smb2.fsctl.odx.size", FT_UINT32
, BASE_DEC
,
13408 NULL
, 0, "Size of this data element", HFILL
}
13411 { &hf_smb2_fsctl_odx_flags
,
13412 { "Flags", "smb2.fsctl.odx.flags", FT_UINT32
, BASE_HEX
,
13413 NULL
, 0, "Flags for this operation", HFILL
}
13416 { &hf_smb2_fsctl_odx_file_offset
,
13417 { "FileOffset", "smb2.fsctl.odx.file_offset", FT_UINT64
, BASE_DEC
,
13418 NULL
, 0, NULL
, HFILL
}
13421 { &hf_smb2_fsctl_odx_copy_length
,
13422 { "CopyLength", "smb2.fsctl.odx.copy_length", FT_UINT64
, BASE_DEC
,
13423 NULL
, 0, NULL
, HFILL
}
13426 { &hf_smb2_fsctl_odx_xfer_length
,
13427 { "TransferLength", "smb2.fsctl.odx.xfer_length", FT_UINT64
, BASE_DEC
,
13428 NULL
, 0, NULL
, HFILL
}
13431 { &hf_smb2_fsctl_odx_token_offset
,
13432 { "TokenOffset", "smb2.fsctl.odx.token_offset", FT_UINT64
, BASE_DEC
,
13433 NULL
, 0, "Token Offset (relative to start of token)", HFILL
}
13436 { &hf_smb2_fsctl_sparse_flag
,
13437 { "SetSparse", "smb2.fsctl.set_sparse", FT_BOOLEAN
, 8,
13438 NULL
, 0xFF, NULL
, HFILL
}
13441 { &hf_smb2_ioctl_resiliency_timeout
,
13442 { "Timeout", "smb2.ioctl.resiliency.timeout", FT_UINT32
, BASE_DEC
,
13443 NULL
, 0, "Resiliency timeout", HFILL
}
13446 { &hf_smb2_ioctl_resiliency_reserved
,
13447 { "Reserved", "smb2.ioctl.resiliency.reserved", FT_UINT32
, BASE_DEC
,
13448 NULL
, 0, "Resiliency reserved", HFILL
}
13451 { &hf_smb2_ioctl_shared_virtual_disk_support
,
13452 { "SharedVirtualDiskSupport", "smb2.ioctl.shared_virtual_disk.support", FT_UINT32
, BASE_HEX
,
13453 VALS(smb2_ioctl_shared_virtual_disk_vals
), 0, "Supported shared capabilities", HFILL
}
13456 { &hf_smb2_ioctl_shared_virtual_disk_handle_state
,
13457 { "SharedVirtualDiskHandleState", "smb2.ioctl.shared_virtual_disk.handle_state", FT_UINT32
, BASE_HEX
,
13458 VALS(smb2_ioctl_shared_virtual_disk_hstate_vals
), 0, NULL
, HFILL
}
13461 { &hf_smb2_ioctl_sqos_protocol_version
,
13462 { "ProtocolVersion", "smb2.ioctl.sqos.protocol_version", FT_UINT16
, BASE_HEX
,
13463 VALS(smb2_ioctl_sqos_protocol_version_vals
), 0, NULL
, HFILL
}
13466 { &hf_smb2_ioctl_sqos_reserved
,
13467 { "Reserved", "smb2.ioctl.sqos.reserved", FT_UINT16
, BASE_DEC
,
13468 NULL
, 0, NULL
, HFILL
}
13471 { &hf_smb2_ioctl_sqos_options
,
13472 { "Operations", "smb2.ioctl.sqos.operations", FT_UINT32
, BASE_HEX
,
13473 NULL
, 0, "SQOS operations", HFILL
}
13476 { &hf_smb2_ioctl_sqos_op_set_logical_flow_id
,
13477 { "Set Logical Flow ID", "smb2.ioctl.sqos.operations.set_logical_flow_id", FT_BOOLEAN
, 32,
13478 NULL
, STORAGE_QOS_CONTROL_FLAG_SET_LOGICAL_FLOW_ID
, "Whether Set Logical Flow ID operation is performed", HFILL
}
13481 { &hf_smb2_ioctl_sqos_op_set_policy
,
13482 { "Set Policy", "smb2.ioctl.sqos.operations.set_policy", FT_BOOLEAN
, 32,
13483 NULL
, STORAGE_QOS_CONTROL_FLAG_SET_POLICY
, "Whether Set Policy operation is performed", HFILL
}
13486 { &hf_smb2_ioctl_sqos_op_probe_policy
,
13487 { "Probe Policy", "smb2.ioctl.sqos.operations.probe_policy", FT_BOOLEAN
, 32,
13488 NULL
, STORAGE_QOS_CONTROL_FLAG_PROBE_POLICY
, "Whether Probe Policy operation is performed", HFILL
}
13491 { &hf_smb2_ioctl_sqos_op_get_status
,
13492 { "Get Status", "smb2.ioctl.sqos.operations.get_status", FT_BOOLEAN
, 32,
13493 NULL
, STORAGE_QOS_CONTROL_FLAG_GET_STATUS
, "Whether Get Status operation is performed", HFILL
}
13496 { &hf_smb2_ioctl_sqos_op_update_counters
,
13497 { "Update Counters", "smb2.ioctl.sqos.operations.update_counters", FT_BOOLEAN
, 32,
13498 NULL
, STORAGE_QOS_CONTROL_FLAG_UPDATE_COUNTERS
, "Whether Update Counters operation is performed", HFILL
}
13501 { &hf_smb2_ioctl_sqos_logical_flow_id
,
13502 { "LogicalFlowID", "smb2.ioctl.sqos.logical_flow_id", FT_GUID
, BASE_NONE
,
13503 NULL
, 0, NULL
, HFILL
}
13506 { &hf_smb2_ioctl_sqos_policy_id
,
13507 { "PolicyID", "smb2.ioctl.sqos.policy_id", FT_GUID
, BASE_NONE
,
13508 NULL
, 0, NULL
, HFILL
}
13511 { &hf_smb2_ioctl_sqos_initiator_id
,
13512 { "InitiatorID", "smb2.ioctl.sqos.initiator_id", FT_GUID
, BASE_NONE
,
13513 NULL
, 0, NULL
, HFILL
}
13516 { &hf_smb2_ioctl_sqos_limit
,
13517 { "Limit", "smb2.ioctl.sqos.limit", FT_UINT64
, BASE_DEC
,
13518 NULL
, 0, "Desired maximum throughput for the logical flow, in normalized IOPS", HFILL
}
13521 { &hf_smb2_ioctl_sqos_reservation
,
13522 { "Reservation", "smb2.ioctl.sqos.reservation", FT_UINT64
, BASE_DEC
,
13523 NULL
, 0, "Desired minimum throughput for the logical flow, in normalized 8KB IOPS", HFILL
}
13526 { &hf_smb2_ioctl_sqos_initiator_name
,
13527 { "InitiatorName", "smb2.ioctl.sqos.initiator_name", FT_STRING
, BASE_NONE
,
13528 NULL
, 0x0, NULL
, HFILL
}
13531 { &hf_smb2_ioctl_sqos_initiator_node_name
,
13532 { "InitiatorNodeName", "smb2.ioctl.sqos.initiator_node_name", FT_STRING
, BASE_NONE
,
13533 NULL
, 0x0, NULL
, HFILL
}
13536 { &hf_smb2_ioctl_sqos_io_count_increment
,
13537 { "IoCountIncrement", "smb2.ioctl.sqos.io_count_increment", FT_UINT64
, BASE_DEC
,
13538 NULL
, 0, "The total number of I/O requests issued by the initiator on the logical flow", HFILL
}
13541 { &hf_smb2_ioctl_sqos_normalized_io_count_increment
,
13542 { "NormalizedIoCountIncrement", "smb2.ioctl.sqos.normalized_io_count_increment", FT_UINT64
, BASE_DEC
,
13543 NULL
, 0, "The total number of normalized 8-KB I/O requests issued by the initiator on the logical flow", HFILL
}
13546 { &hf_smb2_ioctl_sqos_latency_increment
,
13547 { "LatencyIncrement", "smb2.ioctl.sqos.latency_increment", FT_UINT64
, BASE_DEC
,
13548 NULL
, 0, "The total latency (including initiator's queues delays) measured by the initiator", HFILL
}
13551 { &hf_smb2_ioctl_sqos_lower_latency_increment
,
13552 { "LowerLatencyIncrement", "smb2.ioctl.sqos.lower_latency_increment", FT_UINT64
, BASE_DEC
,
13553 NULL
, 0, "The total latency (excluding initiator's queues delays) measured by the initiator", HFILL
}
13556 { &hf_smb2_ioctl_sqos_bandwidth_limit
,
13557 { "BandwidthLimit", "smb2.ioctl.sqos.bandwidth_limit", FT_UINT64
, BASE_DEC
,
13558 NULL
, 0, "Desired maximum bandwidth for the logical flow, in kilobytes per second", HFILL
}
13561 { &hf_smb2_ioctl_sqos_kilobyte_count_increment
,
13562 { "KilobyteCountIncrement", "smb2.ioctl.sqos.kilobyte_count_increment", FT_UINT64
, BASE_DEC
,
13563 NULL
, 0, "The total data transfer length of all I/O requests, in kilobyte units, issued by the initiator on the logical flow", HFILL
}
13566 { &hf_smb2_ioctl_sqos_time_to_live
,
13567 { "TimeToLive", "smb2.ioctl.sqos.time_to_live", FT_UINT32
, BASE_DEC
,
13568 NULL
, 0, "The expected period of validity of the Status, MaximumIoRate and MinimumIoRate fields, expressed in milliseconds", HFILL
}
13571 { &hf_smb2_ioctl_sqos_status
,
13572 { "Status", "smb2.ioctl.sqos.status", FT_UINT32
, BASE_HEX
,
13573 VALS(smb2_ioctl_sqos_status_vals
), 0, "The current status of the logical flow", HFILL
}
13576 { &hf_smb2_ioctl_sqos_maximum_io_rate
,
13577 { "MaximumIoRate", "smb2.ioctl.sqos.maximum_io_rate", FT_UINT64
, BASE_DEC
,
13578 NULL
, 0, "The maximum I/O initiation rate currently assigned to the logical flow, expressed in normalized input/output operations per second (normalized IOPS)", HFILL
}
13581 { &hf_smb2_ioctl_sqos_minimum_io_rate
,
13582 { "MinimumIoRate", "smb2.ioctl.sqos.minimum_io_rate", FT_UINT64
, BASE_DEC
,
13583 NULL
, 0, "The minimum I/O completion rate currently assigned to the logical flow, expressed in normalized IOPS", HFILL
}
13586 { &hf_smb2_ioctl_sqos_base_io_size
,
13587 { "BaseIoSize", "smb2.ioctl.sqos.base_io_size", FT_UINT32
, BASE_DEC
,
13588 NULL
, 0, "The base I/O size used to compute the normalized size of an I/O request for the logical flow", HFILL
}
13591 { &hf_smb2_ioctl_sqos_reserved2
,
13592 { "Reserved", "smb2.ioctl.sqos.reserved2", FT_UINT32
, BASE_DEC
,
13593 NULL
, 0, NULL
, HFILL
}
13596 { &hf_smb2_ioctl_sqos_maximum_bandwidth
,
13597 { "MaximumBandwidth", "smb2.ioctl.sqos.maximum_bandwidth", FT_UINT64
, BASE_DEC
,
13598 NULL
, 0, "The maximum bandwidth currently assigned to the logical flow, expressed in kilobytes per second", HFILL
}
13602 { &hf_windows_sockaddr_family
,
13603 { "Socket Family", "smb2.windows.sockaddr.family", FT_UINT16
, BASE_DEC
,
13604 NULL
, 0, "The socket address family (on windows)", HFILL
}
13607 { &hf_windows_sockaddr_port
,
13608 { "Socket Port", "smb2.windows.sockaddr.port", FT_UINT16
, BASE_DEC
,
13609 NULL
, 0, "The socket address port", HFILL
}
13612 { &hf_windows_sockaddr_in_addr
,
13613 { "Socket IPv4", "smb2.windows.sockaddr.in.addr", FT_IPv4
, BASE_NONE
,
13614 NULL
, 0, "The IPv4 address", HFILL
}
13617 { &hf_windows_sockaddr_in6_flowinfo
,
13618 { "IPv6 Flow Info", "smb2.windows.sockaddr.in6.flow_info", FT_UINT32
, BASE_HEX
,
13619 NULL
, 0, "The socket IPv6 flow info", HFILL
}
13622 { &hf_windows_sockaddr_in6_addr
,
13623 { "Socket IPv6", "smb2.windows.sockaddr.in6.addr", FT_IPv6
, BASE_NONE
,
13624 NULL
, 0, "The IPv6 address", HFILL
}
13627 { &hf_windows_sockaddr_in6_scope_id
,
13628 { "IPv6 Scope ID", "smb2.windows.sockaddr.in6.scope_id", FT_UINT32
, BASE_DEC
,
13629 NULL
, 0, "The socket IPv6 scope id", HFILL
}
13632 { &hf_smb2_ioctl_network_interface_next_offset
,
13633 { "Next Offset", "smb2.ioctl.network_interfaces.next_offset", FT_UINT32
, BASE_HEX
,
13634 NULL
, 0, "Offset to next entry in chain or 0", HFILL
}
13637 { &hf_smb2_ioctl_network_interface_index
,
13638 { "Interface Index", "smb2.ioctl.network_interfaces.index", FT_UINT32
, BASE_DEC
,
13639 NULL
, 0, "The index of the interface", HFILL
}
13642 { &hf_smb2_ioctl_network_interface_reserved
,
13643 { "Reserved", "smb2.ioctl.network_interfaces.reserved", FT_UINT32
, BASE_DEC
,
13644 NULL
, 0, "Was RSS Queue Count", HFILL
}
13647 { &hf_smb2_ioctl_network_interface_capabilities
,
13648 { "Interface Cababilities", "smb2.ioctl.network_interfaces.capabilities", FT_UINT32
, BASE_HEX
,
13649 NULL
, 0, "The capabilities of the network interface", HFILL
}
13652 { &hf_smb2_ioctl_network_interface_capability_rss
,
13653 { "RSS", "smb2.ioctl.network_interfaces.capabilities.rss", FT_BOOLEAN
, 32,
13654 TFS(&tfs_smb2_ioctl_network_interface_capability_rss
), NETWORK_INTERFACE_CAP_RSS
, "If the host supports RSS", HFILL
}
13657 { &hf_smb2_ioctl_network_interface_capability_rdma
,
13658 { "RDMA", "smb2.ioctl.network_interfaces.capabilities.rdma", FT_BOOLEAN
, 32,
13659 TFS(&tfs_smb2_ioctl_network_interface_capability_rdma
), NETWORK_INTERFACE_CAP_RDMA
, "If the host supports RDMA", HFILL
}
13662 { &hf_smb2_ioctl_network_interface_link_speed
,
13663 { "Link Speed", "smb2.ioctl.network_interfaces.link_speed", FT_UINT64
, BASE_DEC
,
13664 NULL
, 0, "The link speed of the interface", HFILL
}
13667 { &hf_smb2_ioctl_enumerate_snapshots_num_snapshots
,
13668 { "Number of snapshots", "smb2.ioctl.enumerate_snapshots.num_snapshots", FT_UINT32
, BASE_DEC
,
13669 NULL
, 0, "Number of previous versions associated with the volume", HFILL
}
13672 { &hf_smb2_ioctl_enumerate_snapshots_num_snapshots_returned
,
13673 { "Number of snapshots returned", "smb2.ioctl.enumerate_snapshots.num_snapshots_returned", FT_UINT32
, BASE_DEC
,
13674 NULL
, 0, "Number of previous version time stamps returned", HFILL
}
13677 { &hf_smb2_ioctl_enumerate_snapshots_snapshot_array_size
,
13678 { "Array size", "smb2.ioctl.enumerate_snapshots.array_size", FT_UINT32
, BASE_DEC
,
13679 NULL
, 0, "Number of bytes for snapshot time stamp strings", HFILL
}
13682 { &hf_smb2_ioctl_enumerate_snapshots_snapshot
,
13683 { "Snapshot", "smb2.ioctl.enumerate_snapshots.snapshot", FT_STRINGZ
, BASE_NONE
,
13684 NULL
, 0, "Time stamp of previous version", HFILL
}
13687 { &hf_smb2_ioctl_get_ntfs_volume_data_volume_serial
, {
13688 "VolumeSerialNumber",
13689 "smb2.ioctl.get_ntfs_volume_data.volume_serial_number",
13690 FT_UINT64
, BASE_DEC
,
13691 NULL
, 0, "Volume Serial Number", HFILL
},
13694 { &hf_smb2_ioctl_get_ntfs_volume_data_num_sectors
, {
13696 "smb2.ioctl.get_ntfs_volume_data.num_sectors",
13697 FT_UINT64
, BASE_DEC
,
13698 NULL
, 0, "Number Sectors", HFILL
},
13701 { &hf_smb2_ioctl_get_ntfs_volume_data_total_clusters
, {
13703 "smb2.ioctl.get_ntfs_volume_data.total_clusters",
13704 FT_UINT64
, BASE_DEC
,
13705 NULL
, 0, "Total Clusters", HFILL
},
13708 { &hf_smb2_ioctl_get_ntfs_volume_data_free_clusters
, {
13710 "smb2.ioctl.get_ntfs_volume_data.free_clusters",
13711 FT_UINT64
, BASE_DEC
,
13712 NULL
, 0, "Free Clusters", HFILL
},
13715 { &hf_smb2_ioctl_get_ntfs_volume_data_total_reserved
, {
13717 "smb2.ioctl.get_ntfs_volume_data.total_reserved",
13718 FT_UINT64
, BASE_DEC
,
13719 NULL
, 0, "Total Reserved", HFILL
},
13722 { &hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_sector
, {
13724 "smb2.ioctl.get_ntfs_volume_data.bytes_per_sector",
13725 FT_UINT32
, BASE_DEC
,
13726 NULL
, 0, "Bytes Per Sector", HFILL
},
13729 { &hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_cluster
, {
13731 "smb2.ioctl.get_ntfs_volume_data.bytes_per_cluster",
13732 FT_UINT32
, BASE_DEC
,
13733 NULL
, 0, "Bytes Per Cluster", HFILL
},
13736 { &hf_smb2_ioctl_get_ntfs_volume_data_bytes_per_file_record_segment
, {
13737 "BytesPerFileRecordSegment",
13738 "smb2.ioctl.get_ntfs_volume_data.bytes_per_file_record_segment",
13739 FT_UINT32
, BASE_DEC
,
13740 NULL
, 0, "Bytes Per File Record Segment", HFILL
},
13743 { &hf_smb2_ioctl_get_ntfs_volume_data_clusters_per_file_record_segment
, {
13744 "ClustersPerFileRecordSegment",
13745 "smb2.ioctl.get_ntfs_volume_data.clusters_per_file_record_segment",
13746 FT_UINT32
, BASE_DEC
,
13747 NULL
, 0, "Clusters Per File Record Segment", HFILL
},
13750 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_valid_data_length
, {
13751 "MftValidDataLength",
13752 "smb2.ioctl.get_ntfs_volume_data.mft_valid_data_length",
13753 FT_UINT64
, BASE_DEC
,
13754 NULL
, 0, "Mft Valid Data Length", HFILL
},
13757 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_start_lcn
, {
13759 "smb2.ioctl.get_ntfs_volume_data.mft_start_lcn",
13760 FT_UINT64
, BASE_DEC
,
13761 NULL
, 0, "Mft Start Lcn", HFILL
},
13764 { &hf_smb2_ioctl_get_ntfs_volume_data_mft2_start_lcn
, {
13766 "smb2.ioctl.get_ntfs_volume_data.mft2_start_lcn",
13767 FT_UINT64
, BASE_DEC
,
13768 NULL
, 0, "Mft2 Start Lcn", HFILL
},
13771 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_start
, {
13773 "smb2.ioctl.get_ntfs_volume_data.mft_zone_start",
13774 FT_UINT64
, BASE_DEC
,
13775 NULL
, 0, "Mft Zone Start", HFILL
},
13778 { &hf_smb2_ioctl_get_ntfs_volume_data_mft_zone_end
, {
13780 "smb2.ioctl.get_ntfs_volume_data.mft_zone_end",
13781 FT_UINT64
, BASE_DEC
,
13782 NULL
, 0, "Mft Zone End", HFILL
},
13785 { &hf_smb2_tree_connect_flags
,
13786 { "Flags", "smb2.tc.flags", FT_UINT16
, BASE_HEX
,
13787 NULL
, 0, "Tree Connect flags", HFILL
}
13790 { &hf_smb2_tc_cluster_reconnect
,
13791 { "Cluster Reconnect", "smb2.tc.cluster_reconnect", FT_BOOLEAN
, 16,
13792 TFS(&tfs_set_notset
), 0x0001, "If this is a Cluster Reconnect", HFILL
}
13795 { &hf_smb2_tc_redirect_to_owner
,
13796 { "Redirect To Owner", "smb2.tc.redirect_to_owner", FT_BOOLEAN
, 16,
13797 TFS(&tfs_set_notset
), 0x0002, "Set if the client can handle Share Redirects", HFILL
}
13800 { &hf_smb2_tc_extension_present
,
13801 { "Extension Present", "smb2.tc.extension_present", FT_BOOLEAN
, 16,
13802 TFS(&tfs_set_notset
), 0x0004, "Set if an extension structure is present", HFILL
}
13805 { &hf_smb2_tc_reserved
,
13806 { "Reserved", "smb2.tc.reserved", FT_UINT16
, BASE_HEX
,
13807 NULL
, 0xFFF8, "Must be zero", HFILL
}
13810 { &hf_smb2_compression_format
,
13811 { "Compression Format", "smb2.compression_format", FT_UINT16
, BASE_DEC
,
13812 VALS(compression_format_vals
), 0, NULL
, HFILL
}
13815 { &hf_smb2_checksum_algorithm
,
13816 { "Checksum Algorithm", "smb2.checksum_algorithm", FT_UINT16
, BASE_HEX
,
13817 VALS(checksum_algorithm_vals
), 0, NULL
, HFILL
}
13820 { &hf_smb2_integrity_reserved
,
13821 { "Reserved", "smb2.integrity_reserved", FT_UINT16
, BASE_DEC
,
13822 NULL
, 0, NULL
, HFILL
}
13825 { &hf_smb2_integrity_flags
,
13826 { "Flags", "smb2.integrity_flags", FT_UINT32
, BASE_HEX
,
13827 NULL
, 0, NULL
, HFILL
}
13830 { &hf_smb2_integrity_flags_enforcement_off
,
13831 { "FSCTL_INTEGRITY_FLAG_CHECKSUM_ENFORCEMENT_OFF", "smb2.integrity_flags_enforcement", FT_BOOLEAN
, 32,
13832 NULL
, 0x1, "If checksum error enforcement is off", HFILL
}
13835 { &hf_smb2_share_type
,
13836 { "Share Type", "smb2.share_type", FT_UINT8
, BASE_HEX
,
13837 VALS(smb2_share_type_vals
), 0, "Type of share", HFILL
}
13840 { &hf_smb2_credit_charge
,
13841 { "Credit Charge", "smb2.credit.charge", FT_UINT16
, BASE_DEC
,
13842 NULL
, 0, NULL
, HFILL
}
13845 { &hf_smb2_credits_requested
,
13846 { "Credits requested", "smb2.credits.requested", FT_UINT16
, BASE_DEC
,
13847 NULL
, 0, NULL
, HFILL
}
13850 { &hf_smb2_credits_granted
,
13851 { "Credits granted", "smb2.credits.granted", FT_UINT16
, BASE_DEC
,
13852 NULL
, 0, NULL
, HFILL
}
13855 { &hf_smb2_channel_sequence
,
13856 { "Channel Sequence", "smb2.channel_sequence", FT_UINT16
, BASE_DEC
,
13857 NULL
, 0, NULL
, HFILL
}
13860 { &hf_smb2_dialect_count
,
13861 { "Dialect count", "smb2.dialect_count", FT_UINT16
, BASE_DEC
,
13862 NULL
, 0, NULL
, HFILL
}
13865 { &hf_smb2_dialect
,
13866 { "Dialect", "smb2.dialect", FT_UINT16
, BASE_HEX
,
13867 VALS(smb2_dialect_vals
), 0, NULL
, HFILL
}
13870 { &hf_smb2_security_mode
,
13871 { "Security mode", "smb2.sec_mode", FT_UINT8
, BASE_HEX
,
13872 NULL
, 0, NULL
, HFILL
}
13875 { &hf_smb2_session_flags
,
13876 { "Session Flags", "smb2.session_flags", FT_UINT16
, BASE_HEX
,
13877 NULL
, 0, NULL
, HFILL
}
13880 { &hf_smb2_lock_count
,
13881 { "Lock Count", "smb2.lock_count", FT_UINT16
, BASE_DEC
,
13882 NULL
, 0, NULL
, HFILL
}
13885 { &hf_smb2_lock_sequence_number
,
13886 { "Lock Sequence Number", "smb2.lock_sequence_number", FT_UINT32
, BASE_DEC
,
13887 NULL
, 0x0000000F, NULL
, HFILL
}
13890 { &hf_smb2_lock_sequence_index
,
13891 { "Lock Sequence Index", "smb2.lock_sequence_index", FT_UINT32
, BASE_DEC
,
13892 NULL
, 0xFFFFFFF0, NULL
, HFILL
}
13895 { &hf_smb2_capabilities
,
13896 { "Capabilities", "smb2.capabilities", FT_UINT32
, BASE_HEX
,
13897 NULL
, 0, NULL
, HFILL
}
13900 { &hf_smb2_auth_frame
,
13901 { "Authenticated in Frame", "smb2.auth_frame", FT_FRAMENUM
, BASE_NONE
,
13902 NULL
, 0, "Which frame this user was authenticated in", HFILL
}
13905 { &hf_smb2_tcon_frame
,
13906 { "Connected in Frame", "smb2.tcon_frame", FT_FRAMENUM
, BASE_NONE
,
13907 NULL
, 0, "Which frame this share was connected in", HFILL
}
13910 { &hf_smb2_tdcon_frame
,
13911 { "Disconnected in Frame", "smb2.tdcon_frame", FT_FRAMENUM
, BASE_NONE
,
13912 NULL
, 0, "Which frame this share was disconnected in", HFILL
}
13916 { "Tag", "smb2.tag", FT_STRING
, BASE_NONE
,
13917 NULL
, 0, "Tag of chain entry", HFILL
}
13920 { &hf_smb2_acct_name
,
13921 { "Account", "smb2.acct", FT_STRING
, BASE_NONE
,
13922 NULL
, 0, "Account Name", HFILL
}
13925 { &hf_smb2_domain_name
,
13926 { "Domain", "smb2.domain", FT_STRING
, BASE_NONE
,
13927 NULL
, 0, "Domain Name", HFILL
}
13930 { &hf_smb2_host_name
,
13931 { "Host", "smb2.host", FT_STRING
, BASE_NONE
,
13932 NULL
, 0, "Host Name", HFILL
}
13935 { &hf_smb2_signature
,
13936 { "Signature", "smb2.signature", FT_BYTES
, BASE_NONE
,
13937 NULL
, 0, NULL
, HFILL
}
13940 { &hf_smb2_unknown
,
13941 { "Unknown", "smb2.unknown", FT_BYTES
, BASE_NONE
,
13942 NULL
, 0, NULL
, HFILL
}
13945 { &hf_smb2_twrp_timestamp
,
13946 { "Timestamp", "smb2.twrp_timestamp", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
13947 NULL
, 0, "TWrp timestamp", HFILL
}
13950 { &hf_smb2_mxac_timestamp
,
13951 { "Timestamp", "smb2.mxac_timestamp", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
13952 NULL
, 0, "MxAc timestamp", HFILL
}
13955 { &hf_smb2_mxac_status
,
13956 { "Query Status", "smb2.mxac_status", FT_UINT32
, BASE_HEX
| BASE_EXT_STRING
,
13957 &NT_errors_ext
, 0, "NT Status code", HFILL
}
13960 { &hf_smb2_qfid_fid
,
13961 { "Opaque File ID", "smb2.qfid_fid", FT_BYTES
, BASE_NONE
,
13962 NULL
, 0, NULL
, HFILL
}
13965 { &hf_smb2_ses_flags_guest
,
13966 { "Guest", "smb2.ses_flags.guest", FT_BOOLEAN
, 16,
13967 NULL
, SES_FLAGS_GUEST
, NULL
, HFILL
}
13970 { &hf_smb2_ses_flags_null
,
13971 { "Null", "smb2.ses_flags.null", FT_BOOLEAN
, 16,
13972 NULL
, SES_FLAGS_NULL
, NULL
, HFILL
}
13975 { &hf_smb2_ses_flags_encrypt
,
13976 { "Encrypt", "smb2.ses_flags.encrypt", FT_BOOLEAN
, 16,
13977 NULL
, SES_FLAGS_ENCRYPT
, NULL
, HFILL
}},
13979 { &hf_smb2_secmode_flags_sign_required
,
13980 { "Signing required", "smb2.sec_mode.sign_required", FT_BOOLEAN
, 8,
13981 NULL
, NEGPROT_SIGN_REQ
, "Is signing required", HFILL
}
13984 { &hf_smb2_secmode_flags_sign_enabled
,
13985 { "Signing enabled", "smb2.sec_mode.sign_enabled", FT_BOOLEAN
, 8,
13986 NULL
, NEGPROT_SIGN_ENABLED
, "Is signing enabled", HFILL
}
13989 { &hf_smb2_ses_req_flags
,
13990 { "Flags", "smb2.ses_req_flags", FT_UINT8
, BASE_DEC
,
13991 NULL
, 0, NULL
, HFILL
}
13994 { &hf_smb2_ses_req_flags_session_binding
,
13995 { "Session Binding Request", "smb2.ses_req_flags.session_binding", FT_BOOLEAN
, 8,
13996 NULL
, SES_REQ_FLAGS_SESSION_BINDING
, "The client wants to bind to an existing session", HFILL
}
13999 { &hf_smb2_cap_dfs
,
14000 { "DFS", "smb2.capabilities.dfs", FT_BOOLEAN
, 32,
14001 TFS(&tfs_cap_dfs
), NEGPROT_CAP_DFS
, "If the host supports dfs", HFILL
}
14004 { &hf_smb2_cap_leasing
,
14005 { "LEASING", "smb2.capabilities.leasing", FT_BOOLEAN
, 32,
14006 TFS(&tfs_cap_leasing
), NEGPROT_CAP_LEASING
, "If the host supports leasing", HFILL
}
14009 { &hf_smb2_cap_large_mtu
,
14010 { "LARGE MTU", "smb2.capabilities.large_mtu", FT_BOOLEAN
, 32,
14011 TFS(&tfs_cap_large_mtu
), NEGPROT_CAP_LARGE_MTU
, "If the host supports LARGE MTU", HFILL
}
14014 { &hf_smb2_cap_multi_channel
,
14015 { "MULTI CHANNEL", "smb2.capabilities.multi_channel", FT_BOOLEAN
, 32,
14016 TFS(&tfs_cap_multi_channel
), NEGPROT_CAP_MULTI_CHANNEL
, "If the host supports MULTI CHANNEL", HFILL
}
14019 { &hf_smb2_cap_persistent_handles
,
14020 { "PERSISTENT HANDLES", "smb2.capabilities.persistent_handles", FT_BOOLEAN
, 32,
14021 TFS(&tfs_cap_persistent_handles
), NEGPROT_CAP_PERSISTENT_HANDLES
, "If the host supports PERSISTENT HANDLES", HFILL
}
14024 { &hf_smb2_cap_directory_leasing
,
14025 { "DIRECTORY LEASING", "smb2.capabilities.directory_leasing", FT_BOOLEAN
, 32,
14026 TFS(&tfs_cap_directory_leasing
), NEGPROT_CAP_DIRECTORY_LEASING
, "If the host supports DIRECTORY LEASING", HFILL
}
14029 { &hf_smb2_cap_encryption
,
14030 { "ENCRYPTION", "smb2.capabilities.encryption", FT_BOOLEAN
, 32,
14031 TFS(&tfs_cap_encryption
), NEGPROT_CAP_ENCRYPTION
, "If the host supports ENCRYPTION", HFILL
}
14034 { &hf_smb2_cap_notifications
,
14035 { "NOTIFICATIONS", "smb2.capabilities.notifications", FT_BOOLEAN
, 32,
14036 TFS(&tfs_cap_notifications
), NEGPROT_CAP_NOTIFICATIONS
, "If the host supports receiving notifications from server", HFILL
}
14039 { &hf_smb2_max_trans_size
,
14040 { "Max Transaction Size", "smb2.max_trans_size", FT_UINT32
, BASE_DEC
,
14041 NULL
, 0, NULL
, HFILL
}
14044 { &hf_smb2_max_read_size
,
14045 { "Max Read Size", "smb2.max_read_size", FT_UINT32
, BASE_DEC
,
14046 NULL
, 0, NULL
, HFILL
}
14049 { &hf_smb2_max_write_size
,
14050 { "Max Write Size", "smb2.max_write_size", FT_UINT32
, BASE_DEC
,
14051 NULL
, 0, NULL
, HFILL
}
14054 { &hf_smb2_channel
,
14055 { "Channel", "smb2.channel", FT_UINT32
, BASE_HEX
,
14056 VALS(smb2_channel_vals
), 0, NULL
, HFILL
}
14059 { &hf_smb2_rdma_v1_offset
,
14060 { "Offset", "smb2.buffer_descriptor.offset", FT_UINT64
, BASE_DEC
,
14061 NULL
, 0, NULL
, HFILL
}
14064 { &hf_smb2_rdma_v1_token
,
14065 { "Token", "smb2.buffer_descriptor.token", FT_UINT32
, BASE_HEX
,
14066 NULL
, 0, NULL
, HFILL
}
14069 { &hf_smb2_rdma_v1_length
,
14070 { "Length", "smb2.buffer_descriptor.length", FT_UINT32
, BASE_DEC
,
14071 NULL
, 0, NULL
, HFILL
}
14074 { &hf_smb2_share_flags
,
14075 { "Share flags", "smb2.share_flags", FT_UINT32
, BASE_HEX
,
14076 NULL
, 0, NULL
, HFILL
}
14079 { &hf_smb2_share_flags_dfs
,
14080 { "DFS", "smb2.share_flags.dfs", FT_BOOLEAN
, 32,
14081 NULL
, SHARE_FLAGS_dfs
, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL
}
14084 { &hf_smb2_share_flags_dfs_root
,
14085 { "DFS root", "smb2.share_flags.dfs_root", FT_BOOLEAN
, 32,
14086 NULL
, SHARE_FLAGS_dfs_root
, "The specified share is present in a Distributed File System (DFS) tree structure", HFILL
}
14089 { &hf_smb2_share_flags_restrict_exclusive_opens
,
14090 { "Restrict exclusive opens", "smb2.share_flags.restrict_exclusive_opens", FT_BOOLEAN
, 32,
14091 NULL
, SHARE_FLAGS_restrict_exclusive_opens
, "The specified share disallows exclusive file opens that deny reads to an open file", HFILL
}
14094 { &hf_smb2_share_flags_force_shared_delete
,
14095 { "Force shared delete", "smb2.share_flags.force_shared_delete", FT_BOOLEAN
, 32,
14096 NULL
, SHARE_FLAGS_force_shared_delete
, "Shared files in the specified share can be forcibly deleted", HFILL
}
14099 { &hf_smb2_share_flags_allow_namespace_caching
,
14100 { "Allow namespace caching", "smb2.share_flags.allow_namespace_caching", FT_BOOLEAN
, 32,
14101 NULL
, SHARE_FLAGS_allow_namespace_caching
, "Clients are allowed to cache the namespace of the specified share", HFILL
}
14104 { &hf_smb2_share_flags_access_based_dir_enum
,
14105 { "Access based directory enum", "smb2.share_flags.access_based_dir_enum", FT_BOOLEAN
, 32,
14106 NULL
, SHARE_FLAGS_access_based_dir_enum
, "The server will filter directory entries based on the access permissions of the client", HFILL
}
14109 { &hf_smb2_share_flags_force_levelii_oplock
,
14110 { "Force level II oplock", "smb2.share_flags.force_levelii_oplock", FT_BOOLEAN
, 32,
14111 NULL
, SHARE_FLAGS_force_levelii_oplock
, "The server will not issue exclusive caching rights on this share", HFILL
}
14114 { &hf_smb2_share_flags_enable_hash_v1
,
14115 { "Enable hash V1", "smb2.share_flags.enable_hash_v1", FT_BOOLEAN
, 32,
14116 NULL
, SHARE_FLAGS_enable_hash_v1
, "The share supports hash generation V1 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL
}
14119 { &hf_smb2_share_flags_enable_hash_v2
,
14120 { "Enable hash V2", "smb2.share_flags.enable_hash_v2", FT_BOOLEAN
, 32,
14121 NULL
, SHARE_FLAGS_enable_hash_v2
, "The share supports hash generation V2 for branch cache retrieval of data (see also section 2.2.31.2 of MS-SMB2)", HFILL
}
14124 { &hf_smb2_share_flags_encrypt_data
,
14125 { "Encrypted data required", "smb2.share_flags.encrypt_data", FT_BOOLEAN
, 32,
14126 NULL
, SHARE_FLAGS_encryption_required
, "The share require data encryption", HFILL
}
14129 { &hf_smb2_share_flags_identity_remoting
,
14130 { "Identity Remoting", "smb2.share_flags.identity_remoting", FT_BOOLEAN
, 32,
14131 NULL
, SHARE_FLAGS_identity_remoting
, "The specified share supports Identity Remoting", HFILL
}
14134 { &hf_smb2_share_flags_compress_data
,
14135 { "Compressed IO", "smb2.share_flags.compress_data", FT_BOOLEAN
, 32,
14136 NULL
, SHARE_FLAGS_compress_data
, "The share supports compression of read/write messages", HFILL
}
14139 { &hf_smb2_share_flags_isolated_transport
,
14140 { "Isolated Transport", "smb2.share_flags.isolated_transport", FT_BOOLEAN
, 32,
14141 NULL
, SHARE_FLAGS_isolated_transport
, "The server indicates that administrator set share property telling client that it is preferable to isolate communication to that share on a separate set of connections.", HFILL
}
14144 { &hf_smb2_share_caching
,
14145 { "Caching policy", "smb2.share.caching", FT_UINT32
, BASE_HEX
,
14146 VALS(share_cache_vals
), 0, NULL
, HFILL
}
14149 { &hf_smb2_share_caps
,
14150 { "Share Capabilities", "smb2.share_caps", FT_UINT32
, BASE_HEX
,
14151 NULL
, 0, NULL
, HFILL
}
14154 { &hf_smb2_share_caps_dfs
,
14155 { "DFS", "smb2.share_caps.dfs", FT_BOOLEAN
, 32,
14156 NULL
, SHARE_CAPS_DFS
, "The specified share is present in a DFS tree structure", HFILL
}
14159 { &hf_smb2_share_caps_continuous_availability
,
14160 { "CONTINUOUS AVAILABILITY", "smb2.share_caps.continuous_availability", FT_BOOLEAN
, 32,
14161 NULL
, SHARE_CAPS_CONTINUOUS_AVAILABILITY
, "The specified share is continuously available", HFILL
}
14164 { &hf_smb2_share_caps_scaleout
,
14165 { "SCALEOUT", "smb2.share_caps.scaleout", FT_BOOLEAN
, 32,
14166 NULL
, SHARE_CAPS_SCALEOUT
, "The specified share is a scaleout share", HFILL
}
14169 { &hf_smb2_share_caps_cluster
,
14170 { "CLUSTER", "smb2.share_caps.cluster", FT_BOOLEAN
, 32,
14171 NULL
, SHARE_CAPS_CLUSTER
, "The specified share is a cluster share", HFILL
}
14174 { &hf_smb2_share_caps_asymmetric
,
14175 { "ASYMMETRIC", "smb2.share_caps.asymmetric", FT_BOOLEAN
, 32,
14176 NULL
, SHARE_CAPS_ASYMMETRIC
, "The specified share allows dynamic changes in ownership of the share", HFILL
}
14179 { &hf_smb2_share_caps_redirect_to_owner
,
14180 { "REDIRECT_TO_OWNER", "smb2.share_caps.redirect_to_owner", FT_BOOLEAN
, 32,
14181 NULL
, SHARE_CAPS_REDIRECT_TO_OWNER
, "The specified share supports synchronous share level redirection", HFILL
}
14184 { &hf_smb2_ioctl_flags
,
14185 { "Flags", "smb2.ioctl.flags", FT_UINT32
, BASE_HEX
,
14186 NULL
, 0, NULL
, HFILL
}
14189 { &hf_smb2_min_count
,
14190 { "Min Count", "smb2.min_count", FT_UINT32
, BASE_DEC
,
14191 NULL
, 0, NULL
, HFILL
}
14194 { &hf_smb2_remaining_bytes
,
14195 { "Remaining Bytes", "smb2.remaining_bytes", FT_UINT32
, BASE_DEC
,
14196 NULL
, 0, NULL
, HFILL
}
14199 { &hf_smb2_channel_info_offset
,
14200 { "Channel Info Offset", "smb2.channel_info_offset", FT_UINT16
, BASE_DEC
,
14201 NULL
, 0, NULL
, HFILL
}
14204 { &hf_smb2_channel_info_length
,
14205 { "Channel Info Length", "smb2.channel_info_length", FT_UINT16
, BASE_DEC
,
14206 NULL
, 0, NULL
, HFILL
}
14209 { &hf_smb2_channel_info_blob
,
14210 { "Channel Info Blob", "smb2.channel_info_blob", FT_NONE
, BASE_NONE
,
14211 NULL
, 0, NULL
, HFILL
}
14214 { &hf_smb2_ioctl_is_fsctl
,
14215 { "Is FSCTL", "smb2.ioctl.is_fsctl", FT_BOOLEAN
, 32,
14216 NULL
, 0x00000001, NULL
, HFILL
}
14219 { &hf_smb2_output_buffer_len
,
14220 { "Output Buffer Length", "smb2.output_buffer_len", FT_UINT32
, BASE_DEC
,
14221 NULL
, 0, NULL
, HFILL
}
14224 { &hf_smb2_close_pq_attrib
,
14225 { "PostQuery Attrib", "smb2.close.pq_attrib", FT_BOOLEAN
, 16,
14226 NULL
, 0x0001, NULL
, HFILL
}
14229 { &hf_smb2_notify_watch_tree
,
14230 { "Watch Tree", "smb2.notify.watch_tree", FT_BOOLEAN
, 16,
14231 NULL
, 0x0001, NULL
, HFILL
}
14234 { &hf_smb2_notify_out_data
,
14235 { "Out Data", "smb2.notify.out", FT_NONE
, BASE_NONE
,
14236 NULL
, 0, NULL
, HFILL
}
14239 { &hf_smb2_notify_info
,
14240 { "Notify Info", "smb2.notify.info", FT_NONE
, BASE_NONE
,
14241 NULL
, 0, NULL
, HFILL
}
14244 { &hf_smb2_notify_next_offset
,
14245 { "Next Offset", "smb2.notify.next_offset", FT_UINT32
, BASE_HEX
,
14246 NULL
, 0, "Offset to next entry in chain or 0", HFILL
}
14249 { &hf_smb2_notify_action
,
14250 { "Action", "smb2.notify.action", FT_UINT32
, BASE_HEX
,
14251 VALS(notify_action_vals
), 0, "Notify Action", HFILL
}
14255 { &hf_smb2_find_flags_restart_scans
,
14256 { "Restart Scans", "smb2.find.restart_scans", FT_BOOLEAN
, 8,
14257 NULL
, SMB2_FIND_FLAG_RESTART_SCANS
, NULL
, HFILL
}
14260 { &hf_smb2_find_flags_single_entry
,
14261 { "Single Entry", "smb2.find.single_entry", FT_BOOLEAN
, 8,
14262 NULL
, SMB2_FIND_FLAG_SINGLE_ENTRY
, NULL
, HFILL
}
14265 { &hf_smb2_find_flags_index_specified
,
14266 { "Index Specified", "smb2.find.index_specified", FT_BOOLEAN
, 8,
14267 NULL
, SMB2_FIND_FLAG_INDEX_SPECIFIED
, NULL
, HFILL
}
14270 { &hf_smb2_find_flags_reopen
,
14271 { "Reopen", "smb2.find.reopen", FT_BOOLEAN
, 8,
14272 NULL
, SMB2_FIND_FLAG_REOPEN
, NULL
, HFILL
}
14275 { &hf_smb2_file_index
,
14276 { "File Index", "smb2.file_index", FT_UINT32
, BASE_HEX
,
14277 NULL
, 0, NULL
, HFILL
}
14280 { &hf_smb2_file_directory_info
,
14281 { "FileDirectoryInfo", "smb2.find.file_directory_info", FT_NONE
, BASE_NONE
,
14282 NULL
, 0, NULL
, HFILL
}
14285 { &hf_smb2_full_directory_info
,
14286 { "FullDirectoryInfo", "smb2.find.full_directory_info", FT_NONE
, BASE_NONE
,
14287 NULL
, 0, NULL
, HFILL
}
14290 { &hf_smb2_both_directory_info
,
14291 { "FileBothDirectoryInfo", "smb2.find.both_directory_info", FT_NONE
, BASE_NONE
,
14292 NULL
, 0, NULL
, HFILL
}
14295 { &hf_smb2_id_both_directory_info
,
14296 { "FileIdBothDirectoryInfo", "smb2.find.id_both_directory_info", FT_NONE
, BASE_NONE
,
14297 NULL
, 0, NULL
, HFILL
}
14300 { &hf_smb2_posix_info
,
14301 { "FilePosixInfo", "smb2.find.posix_info", FT_NONE
, BASE_NONE
,
14302 NULL
, 0, NULL
, HFILL
}
14305 { &hf_smb2_short_name_len
,
14306 { "Short Name Length", "smb2.short_name_len", FT_UINT8
, BASE_DEC
,
14307 NULL
, 0, NULL
, HFILL
}
14310 { &hf_smb2_short_name
,
14311 { "Short Name", "smb2.shortname", FT_STRING
, BASE_NONE
,
14312 NULL
, 0, NULL
, HFILL
}
14315 { &hf_smb2_lock_info
,
14316 { "Lock Info", "smb2.lock_info", FT_NONE
, BASE_NONE
,
14317 NULL
, 0, NULL
, HFILL
}
14320 { &hf_smb2_lock_length
,
14321 { "Length", "smb2.lock_length", FT_UINT64
, BASE_DEC
,
14322 NULL
, 0, NULL
, HFILL
}
14325 { &hf_smb2_lock_flags
,
14326 { "Flags", "smb2.lock_flags", FT_UINT32
, BASE_HEX
,
14327 NULL
, 0, NULL
, HFILL
}
14330 { &hf_smb2_lock_flags_shared
,
14331 { "Shared", "smb2.lock_flags.shared", FT_BOOLEAN
, 32,
14332 NULL
, 0x00000001, NULL
, HFILL
}
14335 { &hf_smb2_lock_flags_exclusive
,
14336 { "Exclusive", "smb2.lock_flags.exclusive", FT_BOOLEAN
, 32,
14337 NULL
, 0x00000002, NULL
, HFILL
}
14340 { &hf_smb2_lock_flags_unlock
,
14341 { "Unlock", "smb2.lock_flags.unlock", FT_BOOLEAN
, 32,
14342 NULL
, 0x00000004, NULL
, HFILL
}
14345 { &hf_smb2_lock_flags_fail_immediately
,
14346 { "Fail Immediately", "smb2.lock_flags.fail_immediately", FT_BOOLEAN
, 32,
14347 NULL
, 0x00000010, NULL
, HFILL
}
14350 { &hf_smb2_error_context_count
,
14351 { "Error Context Count", "smb2.error.context_count", FT_UINT8
, BASE_DEC
,
14352 NULL
, 0, NULL
, HFILL
}
14355 { &hf_smb2_error_reserved
,
14356 { "Reserved", "smb2.error.reserved", FT_UINT8
, BASE_HEX
,
14357 NULL
, 0, NULL
, HFILL
}
14360 { &hf_smb2_error_byte_count
,
14361 { "Byte Count", "smb2.error.byte_count", FT_UINT32
, BASE_DEC
,
14362 NULL
, 0, NULL
, HFILL
}
14365 { &hf_smb2_error_data
,
14366 { "Error Data", "smb2.error.data", FT_BYTES
, BASE_NONE
,
14367 NULL
, 0, NULL
, HFILL
}
14370 { &hf_smb2_error_context
,
14371 { "Error Context", "smb2.error.context", FT_BYTES
, BASE_NONE
,
14372 NULL
, 0, NULL
, HFILL
}
14375 { &hf_smb2_error_context_id
,
14376 { "Type", "smb2.error.context.id", FT_UINT32
, BASE_HEX
,
14377 VALS(smb2_error_id_vals
), 0, NULL
, HFILL
}
14380 { &hf_smb2_error_context_length
,
14381 { "Type", "smb2.error.context.length", FT_UINT32
, BASE_DEC
,
14382 NULL
, 0, NULL
, HFILL
}
14385 { &hf_smb2_error_min_buf_length
,
14386 { "Minimum required buffer length", "smb2.error.min_buf_length", FT_UINT32
, BASE_DEC
,
14387 NULL
, 0, NULL
, HFILL
}
14390 { &hf_smb2_error_redir_context
,
14391 { "Share Redirect", "smb2.error.share_redirect", FT_NONE
, BASE_NONE
,
14392 NULL
, 0, NULL
, HFILL
}
14395 { &hf_smb2_error_redir_struct_size
,
14396 { "Struct Size", "smb2.error.share_redirect.struct_size", FT_UINT32
, BASE_DEC
,
14397 NULL
, 0, NULL
, HFILL
}
14400 { &hf_smb2_error_redir_notif_type
,
14401 { "Notification Type", "smb2.error.share_redirect.notif_type", FT_UINT32
, BASE_DEC
,
14402 NULL
, 0, NULL
, HFILL
}
14405 { &hf_smb2_error_redir_flags
,
14406 { "Flags", "smb2.error.share_redirect.flags", FT_UINT16
, BASE_HEX
,
14407 NULL
, 0, NULL
, HFILL
}
14410 { &hf_smb2_error_redir_target_type
,
14411 { "Target Type", "smb2.error.share_redirect.target_type", FT_UINT16
, BASE_HEX
,
14412 NULL
, 0, NULL
, HFILL
}
14415 { &hf_smb2_error_redir_ip_count
,
14416 { "IP Addr Count", "smb2.error.share_redirect.ip_count", FT_UINT32
, BASE_DEC
,
14417 NULL
, 0, NULL
, HFILL
}
14420 { &hf_smb2_error_redir_ip_list
,
14421 { "IP Addr List", "smb2.error.share_redirect.ip_list", FT_NONE
, BASE_NONE
,
14422 NULL
, 0, NULL
, HFILL
}
14425 { &hf_smb2_error_redir_res_name
,
14426 { "Resource Name", "smb2.error.share_redirect.res_name", FT_STRING
, BASE_NONE
,
14427 NULL
, 0, NULL
, HFILL
}
14430 { &hf_smb2_reserved
,
14431 { "Reserved", "smb2.reserved", FT_BYTES
, BASE_NONE
,
14432 NULL
, 0, NULL
, HFILL
}
14435 { &hf_smb2_reserved_random
,
14436 { "Reserved (Random)", "smb2.reserved.random", FT_BYTES
, BASE_NONE
,
14437 NULL
, 0, "Reserved bytes, random data", HFILL
}
14440 { &hf_smb2_root_directory_mbz
,
14441 { "Root Dir Handle (MBZ)", "smb2.root_directory", FT_BYTES
, BASE_NONE
,
14442 NULL
, 0, NULL
, HFILL
}
14445 { &hf_smb2_dhnq_buffer_reserved
,
14446 { "Reserved", "smb2.dhnq_buffer_reserved", FT_UINT64
, BASE_HEX
,
14447 NULL
, 0, NULL
, HFILL
}
14450 { &hf_smb2_dh2x_buffer_timeout
,
14451 { "Timeout", "smb2.dh2x.timeout", FT_UINT32
, BASE_DEC
,
14452 NULL
, 0, NULL
, HFILL
}
14455 { &hf_smb2_dh2x_buffer_flags
,
14456 { "Flags", "smb2.dh2x.flags", FT_UINT32
, BASE_HEX
,
14457 NULL
, 0, NULL
, HFILL
}
14460 { &hf_smb2_dh2x_buffer_flags_persistent_handle
,
14461 { "Persistent Handle", "smb2.dh2x.flags.persistent_handle", FT_BOOLEAN
, 32,
14462 NULL
, SMB2_DH2X_FLAGS_PERSISTENT_HANDLE
, NULL
, HFILL
}
14465 { &hf_smb2_dh2x_buffer_reserved
,
14466 { "Reserved", "smb2.dh2x.reserved", FT_UINT64
, BASE_HEX
,
14467 NULL
, 0, NULL
, HFILL
}
14470 { &hf_smb2_dh2x_buffer_create_guid
,
14471 { "Create Guid", "smb2.dh2x.create_guid", FT_GUID
, BASE_NONE
,
14472 NULL
, 0, NULL
, HFILL
}
14475 { &hf_smb2_APP_INSTANCE_buffer_struct_size
,
14476 { "Struct Size", "smb2.app_instance.struct_size", FT_UINT16
, BASE_DEC
,
14477 NULL
, 0, NULL
, HFILL
}
14480 { &hf_smb2_APP_INSTANCE_buffer_reserved
,
14481 { "Reserved", "smb2.app_instance.reserved", FT_UINT16
, BASE_HEX
,
14482 NULL
, 0, NULL
, HFILL
}
14485 { &hf_smb2_APP_INSTANCE_buffer_app_guid
,
14486 { "Application Guid", "smb2.app_instance.app_guid", FT_GUID
, BASE_NONE
,
14487 NULL
, 0, NULL
, HFILL
}
14490 { &hf_smb2_svhdx_open_device_context_version
,
14491 { "Version", "smb2.svhdx_open_device_context.version", FT_UINT32
, BASE_DEC
,
14492 NULL
, 0, NULL
, HFILL
}
14495 { &hf_smb2_svhdx_open_device_context_has_initiator_id
,
14496 { "HasInitiatorId", "smb2.svhdx_open_device_context.initiator_has_id", FT_BOOLEAN
, BASE_NONE
,
14497 TFS(&tfs_smb2_svhdx_has_initiator_id
), 0, "Whether the host has an initiator", HFILL
}
14500 { &hf_smb2_svhdx_open_device_context_reserved
,
14501 { "Reserved", "smb2.svhdx_open_device_context.reserved", FT_BYTES
, BASE_NONE
,
14502 NULL
, 0, NULL
, HFILL
}
14505 { &hf_smb2_svhdx_open_device_context_initiator_id
,
14506 { "InitiatorId", "smb2.svhdx_open_device_context.initiator_id", FT_GUID
, BASE_NONE
,
14507 NULL
, 0, NULL
, HFILL
}
14510 { &hf_smb2_svhdx_open_device_context_flags
,
14511 { "Flags", "smb2.svhdx_open_device_context.flags", FT_UINT32
, BASE_HEX
,
14512 NULL
, 0, NULL
, HFILL
}
14515 { &hf_smb2_svhdx_open_device_context_originator_flags
,
14516 { "OriginatorFlags", "smb2.svhdx_open_device_context.originator_flags", FT_UINT32
, BASE_HEX
,
14517 VALS(originator_flags_vals
), 0, NULL
, HFILL
}
14520 { &hf_smb2_svhdx_open_device_context_open_request_id
,
14521 { "OpenRequestId","smb2.svhxd_open_device_context.open_request_id", FT_UINT64
, BASE_HEX
,
14522 NULL
, 0, NULL
, HFILL
}
14525 { &hf_smb2_svhdx_open_device_context_initiator_host_name_len
,
14526 { "HostNameLength", "smb2.svhxd_open_device_context.initiator_host_name_len", FT_UINT16
, BASE_DEC
,
14527 NULL
, 0, NULL
, HFILL
}
14530 { &hf_smb2_svhdx_open_device_context_initiator_host_name
,
14531 { "HostName", "smb2.svhdx_open_device_context.host_name", FT_STRING
, BASE_NONE
,
14532 NULL
, 0, NULL
, HFILL
}
14535 { &hf_smb2_svhdx_open_device_context_virtual_disk_properties_initialized
,
14536 { "VirtualDiskPropertiesInitialized", "smb2.svhdx_open_device_context.virtual_disk_properties_initialized", FT_BOOLEAN
, BASE_NONE
,
14537 NULL
, 0, "Whether VirtualSectorSize, PhysicalSectorSize, and VirtualSize fields are filled", HFILL
}
14540 { &hf_smb2_svhdx_open_device_context_server_service_version
,
14541 { "ServerServiceVersion", "smb2.svhdx_open_device_context.server_service_version", FT_UINT32
, BASE_DEC
,
14542 NULL
, 0, "The current version of the protocol running on the server", HFILL
}
14545 { &hf_smb2_svhdx_open_device_context_virtual_sector_size
,
14546 { "VirtualSectorSize", "smb2.svhdx_open_device_context.virtual_sector_size", FT_UINT32
, BASE_DEC
,
14547 NULL
, 0, "The virtual sector size of the virtual disk", HFILL
}
14550 { &hf_smb2_svhdx_open_device_context_physical_sector_size
,
14551 { "PhysicalSectorSize", "smb2.svhdx_open_device_context.physical_sector_size", FT_UINT32
, BASE_DEC
,
14552 NULL
, 0, "The physical sector size of the virtual disk", HFILL
}
14555 { &hf_smb2_svhdx_open_device_context_virtual_size
,
14556 { "VirtualSize", "smb2.svhdx_open_device_context.virtual_size", FT_UINT64
, BASE_DEC
,
14557 NULL
, 0, "The current length of the virtual disk, in bytes", HFILL
}
14560 { &hf_smb2_app_instance_version_struct_size
,
14561 { "Struct Size", "smb2.app_instance_version.struct_size", FT_UINT16
, BASE_DEC
,
14562 NULL
, 0, NULL
, HFILL
}
14565 { &hf_smb2_app_instance_version_reserved
,
14566 { "Reserved", "smb2.app_instance_version.reserved", FT_UINT16
, BASE_DEC
,
14567 NULL
, 0, NULL
, HFILL
}
14570 { &hf_smb2_app_instance_version_padding
,
14571 { "Padding", "smb2.app_instance_version.padding", FT_UINT32
, BASE_HEX
,
14572 NULL
, 0, NULL
, HFILL
}
14575 { &hf_smb2_app_instance_version_high
,
14576 { "AppInstanceVersionHigh", "smb2.app_instance_version.version.high", FT_UINT64
, BASE_DEC
,
14577 NULL
, 0, NULL
, HFILL
}
14580 { &hf_smb2_app_instance_version_low
,
14581 { "AppInstanceVersionLow", "smb2.app_instance_version.version.low", FT_UINT64
, BASE_DEC
,
14582 NULL
, 0, NULL
, HFILL
}
14585 { &hf_smb2_posix_perms
,
14586 { "POSIX perms", "smb2.posix_perms", FT_UINT32
, BASE_OCT
,
14587 NULL
, 0, NULL
, HFILL
}
14590 { &hf_smb2_aapl_command_code
,
14591 { "Command code", "smb2.aapl.command_code", FT_UINT32
, BASE_DEC
,
14592 VALS(aapl_command_code_vals
), 0, NULL
, HFILL
}
14595 { &hf_smb2_aapl_reserved
,
14596 { "Reserved", "smb2.aapl.reserved", FT_UINT32
, BASE_HEX
,
14597 NULL
, 0, NULL
, HFILL
}
14600 { &hf_smb2_aapl_server_query_bitmask
,
14601 { "Query bitmask", "smb2.aapl.query_bitmask", FT_UINT64
, BASE_HEX
,
14602 NULL
, 0, NULL
, HFILL
}
14605 { &hf_smb2_aapl_server_query_bitmask_server_caps
,
14606 { "Server capabilities", "smb2.aapl.bitmask.server_caps", FT_BOOLEAN
, 64,
14607 NULL
, SMB2_AAPL_SERVER_CAPS
, NULL
, HFILL
}
14610 { &hf_smb2_aapl_server_query_bitmask_volume_caps
,
14611 { "Volume capabilities", "smb2.aapl.bitmask.volume_caps", FT_BOOLEAN
, 64,
14612 NULL
, SMB2_AAPL_VOLUME_CAPS
, NULL
, HFILL
}
14615 { &hf_smb2_aapl_server_query_bitmask_model_info
,
14616 { "Model information", "smb2.aapl.bitmask.model_info", FT_BOOLEAN
, 64,
14617 NULL
, SMB2_AAPL_MODEL_INFO
, NULL
, HFILL
}
14620 { &hf_smb2_aapl_server_query_caps
,
14621 { "Client/Server capabilities", "smb2.aapl.caps", FT_UINT64
, BASE_HEX
,
14622 NULL
, 0, NULL
, HFILL
}
14625 { &hf_smb2_aapl_server_query_caps_supports_read_dir_attr
,
14626 { "Supports READDIRATTR", "smb2.aapl.caps.supports_read_dir_addr", FT_BOOLEAN
, 64,
14627 NULL
, SMB2_AAPL_SUPPORTS_READ_DIR_ATTR
, NULL
, HFILL
}
14630 { &hf_smb2_aapl_server_query_caps_supports_osx_copyfile
,
14631 { "Supports macOS copyfile", "smb2.aapl.caps.supports_osx_copyfile", FT_BOOLEAN
, 64,
14632 NULL
, SMB2_AAPL_SUPPORTS_OSX_COPYFILE
, NULL
, HFILL
}
14635 { &hf_smb2_aapl_server_query_caps_unix_based
,
14636 { "UNIX-based", "smb2.aapl.caps.unix_based", FT_BOOLEAN
, 64,
14637 NULL
, SMB2_AAPL_UNIX_BASED
, NULL
, HFILL
}
14640 { &hf_smb2_aapl_server_query_caps_supports_nfs_ace
,
14641 { "Supports NFS ACE", "smb2.aapl.supports_nfs_ace", FT_BOOLEAN
, 64,
14642 NULL
, SMB2_AAPL_SUPPORTS_NFS_ACE
, NULL
, HFILL
}
14645 { &hf_smb2_aapl_server_query_volume_caps
,
14646 { "Volume capabilities", "smb2.aapl.volume_caps", FT_UINT64
, BASE_HEX
,
14647 NULL
, 0, NULL
, HFILL
}
14650 { &hf_smb2_aapl_server_query_volume_caps_support_resolve_id
,
14651 { "Supports Resolve ID", "smb2.aapl.volume_caps.supports_resolve_id", FT_BOOLEAN
, 64,
14652 NULL
, SMB2_AAPL_SUPPORTS_RESOLVE_ID
, NULL
, HFILL
}
14655 { &hf_smb2_aapl_server_query_volume_caps_case_sensitive
,
14656 { "Case sensitive", "smb2.aapl.volume_caps.case_sensitive", FT_BOOLEAN
, 64,
14657 NULL
, SMB2_AAPL_CASE_SENSITIVE
, NULL
, HFILL
}
14660 { &hf_smb2_aapl_server_query_volume_caps_supports_full_sync
,
14661 { "Supports full sync", "smb2.aapl.volume_caps.supports_full_sync", FT_BOOLEAN
, 64,
14662 NULL
, SMB2_AAPL_SUPPORTS_FULL_SYNC
, NULL
, HFILL
}
14665 { &hf_smb2_aapl_server_query_model_string
,
14666 { "Model string", "smb2.aapl.model_string", FT_UINT_STRING
, BASE_NONE
,
14667 NULL
, 0, NULL
, HFILL
}
14670 { &hf_smb2_aapl_server_query_server_path
,
14671 { "Server path", "smb2.aapl.server_path", FT_UINT_STRING
, BASE_NONE
,
14672 NULL
, 0, NULL
, HFILL
}
14675 { &hf_smb2_transform_signature
,
14676 { "Signature", "smb2.header.transform.signature", FT_BYTES
, BASE_NONE
,
14677 NULL
, 0, NULL
, HFILL
}
14680 { &hf_smb2_transform_nonce
,
14681 { "Nonce", "smb2.header.transform.nonce", FT_BYTES
, BASE_NONE
,
14682 NULL
, 0, NULL
, HFILL
}
14685 { &hf_smb2_transform_msg_size
,
14686 { "Message size", "smb2.header.transform.msg_size", FT_UINT32
, BASE_DEC
,
14687 NULL
, 0, NULL
, HFILL
}
14690 { &hf_smb2_transform_reserved
,
14691 { "Reserved", "smb2.header.transform.reserved", FT_BYTES
, BASE_NONE
,
14692 NULL
, 0, NULL
, HFILL
}
14695 /* SMB2 header flags */
14696 { &hf_smb2_transform_flags
,
14697 { "Flags", "smb2.header.transform.flags", FT_UINT16
, BASE_HEX
,
14698 NULL
, 0, "SMB2 transform flags", HFILL
}
14701 { &hf_smb2_transform_flags_encrypted
,
14702 { "Encrypted", "smb2.header.transform.flags.encrypted", FT_BOOLEAN
, 16,
14703 NULL
, SMB2_TRANSFORM_FLAGS_ENCRYPTED
,
14704 "Whether the payload is encrypted", HFILL
}
14707 { &hf_smb2_transform_encrypted_data
,
14708 { "Data", "smb2.header.transform.enc_data", FT_BYTES
, BASE_NONE
,
14709 NULL
, 0, NULL
, HFILL
}
14712 { &hf_smb2_comp_transform_orig_size
,
14713 { "OriginalSize", "smb2.header.comp_transform.original_size", FT_UINT32
, BASE_DEC
,
14714 NULL
, 0, NULL
, HFILL
}
14717 { &hf_smb2_comp_transform_comp_alg
,
14718 { "CompressionAlgorithm", "smb2.header.comp_transform.comp_alg", FT_UINT16
, BASE_HEX
,
14719 VALS(smb2_comp_alg_types
), 0, NULL
, HFILL
}
14722 { &hf_smb2_comp_transform_flags
,
14723 { "Flags", "smb2.header.comp_transform.flags", FT_UINT16
, BASE_HEX
,
14724 VALS(smb2_comp_transform_flags_vals
), 0, NULL
, HFILL
}
14727 { &hf_smb2_comp_transform_offset
,
14728 { "Offset", "smb2.header.comp_transform.offset", FT_UINT32
, BASE_HEX
,
14729 NULL
, 0, NULL
, HFILL
}
14732 { &hf_smb2_comp_transform_length
,
14733 { "Length", "smb2.header.comp_transform.length", FT_UINT32
, BASE_HEX
,
14734 NULL
, 0, NULL
, HFILL
}
14737 { &hf_smb2_comp_transform_data
,
14738 { "CompressedData", "smb2.header.comp_transform.data", FT_BYTES
, BASE_NONE
,
14739 NULL
, 0, NULL
, HFILL
}
14742 { &hf_smb2_comp_transform_orig_payload_size
,
14743 { "OriginalPayloadSize", "smb2.header.comp_transform.orig_payload_size", FT_UINT32
, BASE_DEC
,
14744 NULL
, 0, NULL
, HFILL
}
14747 { &hf_smb2_comp_pattern_v1_pattern
,
14748 { "Pattern", "smb2.pattern_v1.pattern", FT_UINT8
, BASE_HEX
,
14749 NULL
, 0, NULL
, HFILL
}
14752 { &hf_smb2_comp_pattern_v1_reserved1
,
14753 { "Reserved1", "smb2.pattern_v1.reserved1", FT_UINT8
, BASE_HEX
,
14754 NULL
, 0, NULL
, HFILL
}
14757 { &hf_smb2_comp_pattern_v1_reserved2
,
14758 { "Reserved2", "smb2.pattern_v1.reserved2", FT_UINT16
, BASE_HEX
,
14759 NULL
, 0, NULL
, HFILL
}
14762 { &hf_smb2_comp_pattern_v1_repetitions
,
14763 { "Repetitions", "smb2.pattern_v1.repetitions", FT_UINT32
, BASE_DEC
,
14764 NULL
, 0, NULL
, HFILL
}
14767 { &hf_smb2_protocol_id
,
14768 { "ProtocolId", "smb2.protocol_id", FT_UINT32
, BASE_HEX
,
14769 NULL
, 0, NULL
, HFILL
}
14772 { &hf_smb2_truncated
,
14773 { "Truncated...", "smb2.truncated", FT_NONE
, BASE_NONE
,
14774 NULL
, 0, NULL
, HFILL
}
14777 { &hf_smb2_pipe_fragment_overlap
,
14778 { "Fragment overlap", "smb2.pipe.fragment.overlap", FT_BOOLEAN
, BASE_NONE
,
14779 NULL
, 0x0, "Fragment overlaps with other fragments", HFILL
}
14782 { &hf_smb2_pipe_fragment_overlap_conflict
,
14783 { "Conflicting data in fragment overlap", "smb2.pipe.fragment.overlap.conflict", FT_BOOLEAN
, BASE_NONE
,
14784 NULL
, 0x0, NULL
, HFILL
}
14787 { &hf_smb2_pipe_fragment_multiple_tails
,
14788 { "Multiple tail fragments found", "smb2.pipe.fragment.multipletails", FT_BOOLEAN
, BASE_NONE
,
14789 NULL
, 0x0, "Several tails were found when defragmenting the packet", HFILL
}
14792 { &hf_smb2_pipe_fragment_too_long_fragment
,
14793 { "Fragment too long", "smb2.pipe.fragment.toolongfragment", FT_BOOLEAN
, BASE_NONE
,
14794 NULL
, 0x0, "Fragment contained data past end of packet", HFILL
}
14797 { &hf_smb2_pipe_fragment_error
,
14798 { "Defragmentation error", "smb2.pipe.fragment.error", FT_FRAMENUM
, BASE_NONE
,
14799 NULL
, 0x0, "Defragmentation error due to illegal fragments", HFILL
}
14802 { &hf_smb2_pipe_fragment_count
,
14803 { "Fragment count", "smb2.pipe.fragment.count", FT_UINT32
, BASE_DEC
,
14804 NULL
, 0x0, NULL
, HFILL
}
14807 { &hf_smb2_pipe_fragment
,
14808 { "Fragment SMB2 Named Pipe", "smb2.pipe.fragment", FT_FRAMENUM
, BASE_NONE
,
14809 NULL
, 0x0, NULL
, HFILL
}
14812 { &hf_smb2_pipe_fragments
,
14813 { "Reassembled SMB2 Named Pipe fragments", "smb2.pipe.fragments", FT_NONE
, BASE_NONE
,
14814 NULL
, 0x0, NULL
, HFILL
}
14817 { &hf_smb2_pipe_reassembled_in
,
14818 { "This SMB2 Named Pipe payload is reassembled in frame", "smb2.pipe.reassembled_in", FT_FRAMENUM
, BASE_NONE
,
14819 NULL
, 0x0, "The Named Pipe PDU is completely reassembled in this frame", HFILL
}
14822 { &hf_smb2_pipe_reassembled_length
,
14823 { "Reassembled SMB2 Named Pipe length", "smb2.pipe.reassembled.length", FT_UINT32
, BASE_DEC
,
14824 NULL
, 0x0, "The total length of the reassembled payload", HFILL
}
14827 { &hf_smb2_pipe_reassembled_data
,
14828 { "Reassembled SMB2 Named Pipe Data", "smb2.pipe.reassembled.data", FT_BYTES
, BASE_NONE
,
14829 NULL
, 0x0, "The reassembled payload", HFILL
}
14832 { &hf_smb2_cchunk_resume_key
,
14833 { "ResumeKey", "smb2.fsctl.cchunk.resume_key", FT_BYTES
, BASE_NONE
,
14834 NULL
, 0x0, "Opaque data representing source of copy", HFILL
}
14837 { &hf_smb2_cchunk_count
,
14838 { "Chunk Count", "smb2.fsctl.cchunk.count", FT_UINT32
, BASE_DEC
,
14839 NULL
, 0x0, NULL
, HFILL
}
14842 { &hf_smb2_cchunk_src_offset
,
14843 { "Source Offset", "smb2.fsctl.cchunk.src_offset", FT_UINT64
, BASE_DEC
,
14844 NULL
, 0x0, NULL
, HFILL
}
14847 { &hf_smb2_cchunk_dst_offset
,
14848 { "Target Offset", "smb2.fsctl.cchunk.dst_offset", FT_UINT64
, BASE_DEC
,
14849 NULL
, 0x0, NULL
, HFILL
}
14852 { &hf_smb2_cchunk_xfer_len
,
14853 { "Transfer Length", "smb2.fsctl.cchunk.xfer_len", FT_UINT32
, BASE_DEC
,
14854 NULL
, 0x0, NULL
, HFILL
}
14857 { &hf_smb2_cchunk_chunks_written
,
14858 { "Chunks Written", "smb2.fsctl.cchunk.chunks_written", FT_UINT32
, BASE_DEC
,
14859 NULL
, 0x0, NULL
, HFILL
}
14862 { &hf_smb2_cchunk_bytes_written
,
14863 { "Chunk Bytes Written", "smb2.fsctl.cchunk.bytes_written", FT_UINT32
, BASE_DEC
,
14864 NULL
, 0x0, NULL
, HFILL
}
14867 { &hf_smb2_cchunk_total_written
,
14868 { "Total Bytes Written", "smb2.fsctl.cchunk.total_written", FT_UINT32
, BASE_DEC
,
14869 NULL
, 0x0, NULL
, HFILL
}
14871 { &hf_smb2_reparse_tag
,
14872 { "Reparse Tag", "smb2.reparse_tag", FT_UINT32
, BASE_HEX
,
14873 VALS(reparse_tag_vals
), 0x0, NULL
, HFILL
}
14875 { &hf_smb2_reparse_guid
,
14876 { "Reparse GUID", "smb2.reparse_guid", FT_NONE
, BASE_NONE
,
14877 NULL
, 0, NULL
, HFILL
}
14879 { &hf_smb2_reparse_data_length
,
14880 { "Reparse Data Length", "smb2.reparse_data_length", FT_UINT16
, BASE_DEC
,
14881 NULL
, 0x0, NULL
, HFILL
}
14883 { &hf_smb2_reparse_data_buffer
,
14884 { "Reparse Data Buffer", "smb2.reparse_data_buffer", FT_NONE
, BASE_NONE
,
14885 NULL
, 0, NULL
, HFILL
}
14887 { &hf_smb2_nfs_type
,
14888 { "NFS file type", "smb2.nfs.type", FT_UINT64
, BASE_HEX
|BASE_VAL64_STRING
,
14889 VALS64(nfs_type_vals
), 0x0, NULL
, HFILL
}
14891 { &hf_smb2_nfs_symlink_target
,
14892 { "Symlink Target", "smb2.nfs.symlink.target", FT_STRING
,
14893 BASE_NONE
, NULL
, 0x0, NULL
, HFILL
}
14895 { &hf_smb2_nfs_chr_major
,
14896 { "Major", "smb2.nfs.char.major", FT_UINT32
,
14897 BASE_HEX
, NULL
, 0x0, NULL
, HFILL
}
14899 { &hf_smb2_nfs_chr_minor
,
14900 { "Minor", "smb2.nfs.char.minor", FT_UINT32
,
14901 BASE_HEX
, NULL
, 0x0, NULL
, HFILL
}
14903 { &hf_smb2_nfs_blk_major
,
14904 { "Major", "smb2.nfs.block.major", FT_UINT32
,
14905 BASE_HEX
, NULL
, 0x0, NULL
, HFILL
}
14907 { &hf_smb2_nfs_blk_minor
,
14908 { "Minor", "smb2.nfs.block.minor", FT_UINT32
,
14909 BASE_HEX
, NULL
, 0x0, NULL
, HFILL
}
14911 { &hf_smb2_symlink_error_response
,
14912 { "Symbolic Link Error Response", "smb2.symlink_error_response", FT_NONE
, BASE_NONE
,
14913 NULL
, 0, NULL
, HFILL
}
14915 { &hf_smb2_symlink_length
,
14916 { "SymLink Length", "smb2.symlink.length", FT_UINT32
,
14917 BASE_DEC
, NULL
, 0x0, NULL
, HFILL
}
14919 { &hf_smb2_symlink_error_tag
,
14920 { "SymLink Error Tag", "smb2.symlink.error_tag", FT_UINT32
,
14921 BASE_HEX
, NULL
, 0x0, NULL
, HFILL
}
14923 { &hf_smb2_unparsed_path_length
,
14924 { "Unparsed Path Length", "smb2.symlink.unparsed_path_length", FT_UINT16
, BASE_DEC
,
14925 NULL
, 0x0, NULL
, HFILL
}
14927 { &hf_smb2_symlink_substitute_name
,
14928 { "Substitute Name", "smb2.symlink.substitute_name", FT_STRING
, BASE_NONE
,
14929 NULL
, 0x0, NULL
, HFILL
}
14931 { &hf_smb2_symlink_print_name
,
14932 { "Print Name", "smb2.symlink.print_name", FT_STRING
, BASE_NONE
,
14933 NULL
, 0x0, NULL
, HFILL
}
14935 { &hf_smb2_symlink_flags
,
14936 { "Flags", "smb2.symlink.flags", FT_UINT32
, BASE_DEC
,
14937 NULL
, 0x0, NULL
, HFILL
}
14939 { &hf_smb2_fscc_file_attr
,
14940 { "File Attributes", "smb2.file_attribute", FT_UINT32
, BASE_HEX
,
14941 NULL
, 0x0, NULL
, HFILL
}
14943 { &hf_smb2_fscc_file_attr_read_only
,
14944 { "Read Only", "smb2.file_attribute.read_only", FT_BOOLEAN
, 32,
14945 TFS(&tfs_yes_no
), SMB2_FSCC_FILE_ATTRIBUTE_READ_ONLY
, "READ ONLY file attribute", HFILL
} },
14947 { &hf_smb2_fscc_file_attr_hidden
,
14948 { "Hidden", "smb2.file_attribute.hidden", FT_BOOLEAN
, 32,
14949 TFS(&tfs_yes_no
), SMB2_FSCC_FILE_ATTRIBUTE_HIDDEN
, "HIDDEN file attribute", HFILL
} },
14951 { &hf_smb2_fscc_file_attr_system
,
14952 { "System", "smb2.file_attribute.system", FT_BOOLEAN
, 32,
14953 TFS(&tfs_yes_no
), SMB2_FSCC_FILE_ATTRIBUTE_SYSTEM
, "SYSTEM file attribute", HFILL
} },
14955 { &hf_smb2_fscc_file_attr_directory
,
14956 { "Directory", "smb2.file_attribute.directory", FT_BOOLEAN
, 32,
14957 TFS(&tfs_yes_no
), SMB2_FSCC_FILE_ATTRIBUTE_DIRECTORY
, "DIRECTORY file attribute", HFILL
} },
14959 { &hf_smb2_fscc_file_attr_archive
,
14960 { "Requires archived", "smb2.file_attribute.archive", FT_BOOLEAN
, 32,
14961 TFS(&tfs_yes_no
), SMB2_FSCC_FILE_ATTRIBUTE_ARCHIVE
, "ARCHIVE file attribute", HFILL
} },
14963 { &hf_smb2_fscc_file_attr_normal
,
14964 { "Normal", "smb2.file_attribute.normal", FT_BOOLEAN
, 32,
14965 TFS(&tfs_yes_no
), SMB2_FSCC_FILE_ATTRIBUTE_NORMAL
, "Is this a normal file?", HFILL
} },
14967 { &hf_smb2_fscc_file_attr_temporary
,
14968 { "Temporary", "smb2.file_attribute.temporary", FT_BOOLEAN
, 32,
14969 TFS(&tfs_yes_no
), SMB2_FSCC_FILE_ATTRIBUTE_TEMPORARY
, "Is this a temporary file?", HFILL
} },
14971 { &hf_smb2_fscc_file_attr_sparse_file
,
14972 { "Sparse", "smb2.file_attribute.sparse", FT_BOOLEAN
, 32,
14973 TFS(&tfs_yes_no
), SMB2_FSCC_FILE_ATTRIBUTE_SPARSE_FILE
, "Is this a sparse file?", HFILL
} },
14975 { &hf_smb2_fscc_file_attr_reparse_point
,
14976 { "Reparse Point", "smb2.file_attribute.reparse", FT_BOOLEAN
, 32,
14977 TFS(&tfs_fscc_file_attribute_reparse
), SMB2_FSCC_FILE_ATTRIBUTE_REPARSE_POINT
, "Does this file have an associated reparse point?", HFILL
} },
14979 { &hf_smb2_fscc_file_attr_compressed
,
14980 { "Compressed", "smb2.file_attribute.compressed", FT_BOOLEAN
, 32,
14981 TFS(&tfs_fscc_file_attribute_compressed
), SMB2_FSCC_FILE_ATTRIBUTE_COMPRESSED
, "Is this file compressed?", HFILL
} },
14983 { &hf_smb2_fscc_file_attr_offline
,
14984 { "Offline", "smb2.file_attribute.offline", FT_BOOLEAN
, 32,
14985 TFS(&tfs_fscc_file_attribute_offline
), SMB2_FSCC_FILE_ATTRIBUTE_OFFLINE
, "Is this file offline?", HFILL
} },
14987 { &hf_smb2_fscc_file_attr_not_content_indexed
,
14988 { "Not Content Indexed", "smb2.file_attribute.not_content_indexed", FT_BOOLEAN
, 32,
14989 TFS(&tfs_fscc_file_attribute_not_content_indexed
), SMB2_FSCC_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED
, "May this file be indexed by the content indexing service", HFILL
} },
14991 { &hf_smb2_fscc_file_attr_encrypted
,
14992 { "Encrypted", "smb2.file_attribute.encrypted", FT_BOOLEAN
, 32,
14993 TFS(&tfs_yes_no
), SMB2_FSCC_FILE_ATTRIBUTE_ENCRYPTED
, "Is this file encrypted?", HFILL
} },
14995 { &hf_smb2_fscc_file_attr_integrity_stream
,
14996 { "Integrity Stream", "smb2.file_attribute.integrity_stream", FT_BOOLEAN
, 32,
14997 TFS(&tfs_fscc_file_attribute_integrity_stream
), SMB2_FSCC_FILE_ATTRIBUTE_INTEGRITY_STREAM
, "Is this file configured with integrity support?", HFILL
} },
14999 { &hf_smb2_fscc_file_attr_no_scrub_data
,
15000 { "No Scrub Data", "smb2.file_attribute.no_scrub_data", FT_BOOLEAN
, 32,
15001 TFS(&tfs_fscc_file_attribute_no_scrub_data
), SMB2_FSCC_FILE_ATTRIBUTE_NO_SCRUB_DATA
, "Is this file configured to be excluded from the data integrity scan?", HFILL
} },
15003 { &hf_smb2_fsctl_infoex_enable_integrity
,
15004 {"Enable Integrity", "smb2.fsctl.infoex.enable_integrity", FT_UINT8
, BASE_HEX
,
15005 VALS(smb2_fsctl_infoex_integrity_modes
), 0, NULL
, HFILL
} },
15007 { &hf_smb2_fsctl_infoex_keep_integrity_state
,
15008 {"Integrity State", "smb2.fsctl.infoex.keep_integrity_state", FT_UINT8
, BASE_HEX
,
15009 VALS(smb2_fsctl_infoex_integrity_state
), 0, NULL
, HFILL
} },
15011 { &hf_smb2_fsctl_infoex_reserved
,
15012 {"Reserved", "smb2.fsctl.infoex.reserved", FT_UINT16
, BASE_HEX
,
15013 NULL
, 0, NULL
, HFILL
} },
15015 { &hf_smb2_fsctl_infoex_flags
,
15016 { "Flags", "smb2.fsctl.infoex.flags", FT_UINT32
, BASE_HEX
,
15017 NULL
, 0, NULL
, HFILL
} },
15019 { &hf_smb2_fsctl_infoex_version
,
15020 { "Version", "smb2.fsctl.infoex.version", FT_UINT8
, BASE_DEC
,
15021 NULL
, 0, NULL
, HFILL
} },
15023 { &hf_smb2_fsctl_infoex_reserved2
,
15024 { "Reserved", "smb2.fsctl.infoex.reserved2", FT_UINT56
, BASE_HEX
,
15025 NULL
, 0, NULL
, HFILL
} },
15027 { &hf_smb2_query_info_flags
,
15028 {"Flags", "smb2.query_info.flags", FT_UINT32
, BASE_HEX
,
15029 NULL
, 0, NULL
, HFILL
}},
15031 { &hf_smb2_query_info_flag_restart_scan
,
15032 {"SL Restart Scan", "smb2.query_info.flags.restart_scan", FT_BOOLEAN
, 32,
15033 NULL
, SMB2_SL_RESTART_SCAN
, "Restart the scan for EAs from the beginning", HFILL
} },
15035 { &hf_smb2_query_info_flag_return_single_entry
,
15036 {"SL Return Single Entry", "smb2.query_info.flags.return_single_entry", FT_BOOLEAN
, 32,
15037 NULL
, SMB2_SL_RETURN_SINGLE_ENTRY
, "Return a single EA entry in the response buffer.", HFILL
} },
15039 { &hf_smb2_query_info_flag_index_specified
,
15040 {"SL Index Specified", "smb2.query_info.flags.index_specified", FT_BOOLEAN
, 32,
15041 NULL
, SL_INDEX_SPECIFIED
, "The caller has specified an EA index.", HFILL
} },
15043 { &hf_smb2_notification_type
,
15044 { "Notification Type", "smb2.notification.type", FT_UINT32
, BASE_HEX
,
15045 VALS(server_notification_types
), 0, NULL
, HFILL
} },
15048 &hf_smb2_fscc_refs_snapshot_mgmt_operation
,
15049 { "Operation", "smb2.refs.snapshot.mgmt.op", FT_UINT32
, BASE_HEX
,
15050 VALS(refs_stream_snapshot_operation_types
), 0, NULL
, HFILL
}},
15053 &hf_smb2_fscc_refs_snapshot_mgmt_namelen
,
15054 { "Name Length", "smb2.refs.snapshot.mgmt.namelen", FT_UINT16
, BASE_DEC
,
15055 NULL
, 0, NULL
, HFILL
}},
15058 &hf_smb2_fscc_refs_snapshot_mgmt_input_buffer_len
,
15059 { "Input Buffer Length", "smb2.refs.snapshot.mgmt.input_buffer_len", FT_UINT16
, BASE_DEC
,
15060 NULL
, 0, NULL
, HFILL
}},
15063 &hf_smb2_fscc_refs_snapshot_mgmt_reserved
,
15064 { "Reserved", "smb2.refs.snapshot.mgmt.reserved", FT_BYTES
, BASE_NONE
,
15065 NULL
, 0, NULL
, HFILL
}},
15068 &hf_smb2_fscc_refs_snapshot_mgmt_name
,
15069 { "Name", "smb2.refs.snapshot.mgmt.name", FT_STRING
, BASE_NONE
,
15070 NULL
, 0x0, NULL
, HFILL
}},
15073 &hf_smb2_fscc_refs_snapshot_query_delta_buffer_startvcn
,
15074 { "Starting VCN", "smb2.refs.snapshot.query.delta_buffer.startvcn", FT_UINT64
, BASE_DEC
,
15075 NULL
, 0, NULL
, HFILL
}},
15078 &hf_smb2_fscc_refs_snapshot_query_delta_buffer_flags
,
15079 { "Flags", "smb2.refs.snapshot.query.delta_buffer.flags", FT_UINT32
, BASE_DEC
,
15080 NULL
, 0, NULL
, HFILL
}},
15083 &hf_smb2_fscc_refs_snapshot_query_delta_buffer_reserved
,
15084 { "Reserved", "smb2.refs.snapshot.query.delta_buffer.reserved", FT_UINT32
, BASE_DEC
,
15085 NULL
, 0, NULL
, HFILL
}},
15087 { &hf_smb2_flush_reserved2
,
15088 { "Reserved2", "smb2.flush.reserved2", FT_BYTES
, BASE_NONE
,
15089 NULL
, 0, NULL
, HFILL
}},
15093 static int *ett
[] = {
15098 &ett_smb2_encrypted
,
15099 &ett_smb2_compressed
,
15100 &ett_smb2_decompressed
,
15103 &ett_smb2_negotiate_context_element
,
15104 &ett_smb2_file_basic_info
,
15105 &ett_smb2_file_standard_info
,
15106 &ett_smb2_file_internal_info
,
15107 &ett_smb2_file_ea_info
,
15108 &ett_smb2_file_access_info
,
15109 &ett_smb2_file_rename_info
,
15110 &ett_smb2_file_link_info
,
15111 &ett_smb2_file_disposition_info
,
15112 &ett_smb2_file_position_info
,
15113 &ett_smb2_file_full_ea_info
,
15114 &ett_smb2_file_mode_info
,
15115 &ett_smb2_file_alignment_info
,
15116 &ett_smb2_file_all_info
,
15117 &ett_smb2_file_allocation_info
,
15118 &ett_smb2_file_endoffile_info
,
15119 &ett_smb2_file_alternate_name_info
,
15120 &ett_smb2_file_stream_info
,
15121 &ett_smb2_file_pipe_info
,
15122 &ett_smb2_file_compression_info
,
15123 &ett_smb2_file_network_open_info
,
15124 &ett_smb2_file_attribute_tag_info
,
15125 &ett_smb2_file_normalized_name_info
,
15126 &ett_smb2_fs_info_01
,
15127 &ett_smb2_fs_info_03
,
15128 &ett_smb2_fs_info_04
,
15129 &ett_smb2_fs_info_05
,
15130 &ett_smb2_fs_info_06
,
15131 &ett_smb2_fs_info_07
,
15132 &ett_smb2_fs_objectid_info
,
15133 &ett_smb2_fs_posix_info
,
15134 &ett_smb2_sec_info_00
,
15135 &ett_smb2_additional_information_sec_mask
,
15136 &ett_smb2_quota_info
,
15137 &ett_smb2_query_quota_info
,
15138 &ett_smb2_tid_tree
,
15139 &ett_smb2_sesid_tree
,
15140 &ett_smb2_create_chain_element
,
15141 &ett_smb2_MxAc_buffer
,
15142 &ett_smb2_QFid_buffer
,
15143 &ett_smb2_RqLs_buffer
,
15144 &ett_smb2_ioctl_function
,
15145 &ett_smb2_FILE_OBJECTID_BUFFER
,
15147 &ett_smb2_sec_mode
,
15148 &ett_smb2_capabilities
,
15149 &ett_smb2_ses_req_flags
,
15150 &ett_smb2_ses_flags
,
15151 &ett_smb2_create_rep_flags
,
15152 &ett_smb2_lease_state
,
15153 &ett_smb2_lease_flags
,
15154 &ett_smb2_share_flags
,
15155 &ett_smb2_share_caps
,
15156 &ett_smb2_comp_alg_flags
,
15157 &ett_smb2_ioctl_flags
,
15158 &ett_smb2_ioctl_network_interface
,
15159 &ett_smb2_ioctl_sqos_opeations
,
15160 &ett_smb2_fsctl_range_data
,
15161 &ett_windows_sockaddr
,
15162 &ett_smb2_close_flags
,
15163 &ett_smb2_notify_info
,
15164 &ett_smb2_notify_flags
,
15166 &ett_smb2_write_flags
,
15167 &ett_smb2_find_flags
,
15168 &ett_smb2_file_directory_info
,
15169 &ett_smb2_both_directory_info
,
15170 &ett_smb2_id_both_directory_info
,
15171 &ett_smb2_full_directory_info
,
15172 &ett_smb2_posix_info
,
15173 &ett_smb2_file_name_info
,
15174 &ett_smb2_lock_info
,
15175 &ett_smb2_lock_flags
,
15176 &ett_smb2_DH2Q_buffer
,
15177 &ett_smb2_DH2C_buffer
,
15178 &ett_smb2_dh2x_flags
,
15179 &ett_smb2_APP_INSTANCE_buffer
,
15180 &ett_smb2_svhdx_open_device_context
,
15181 &ett_smb2_app_instance_version_buffer
,
15182 &ett_smb2_app_instance_version_buffer_version
,
15183 &ett_smb2_aapl_create_context_request
,
15184 &ett_smb2_aapl_server_query_bitmask
,
15185 &ett_smb2_aapl_server_query_caps
,
15186 &ett_smb2_aapl_create_context_response
,
15187 &ett_smb2_aapl_server_query_volume_caps
,
15188 &ett_smb2_integrity_flags
,
15189 &ett_smb2_buffercode
,
15190 &ett_smb2_ioctl_network_interface_capabilities
,
15191 &ett_smb2_tree_connect_flags
,
15193 &ett_smb2_pipe_fragment
,
15194 &ett_smb2_pipe_fragments
,
15195 &ett_smb2_cchunk_entry
,
15196 &ett_smb2_fsctl_odx_token
,
15197 &ett_smb2_symlink_error_response
,
15198 &ett_smb2_reparse_data_buffer
,
15199 &ett_smb2_error_data
,
15200 &ett_smb2_error_context
,
15201 &ett_smb2_error_redir_context
,
15202 &ett_smb2_error_redir_ip_list
,
15203 &ett_smb2_read_flags
,
15204 &ett_smb2_signature
,
15205 &ett_smb2_transform_flags
,
15206 &ett_smb2_fscc_file_attributes
,
15207 &ett_smb2_comp_pattern_v1
,
15208 &ett_smb2_comp_payload
,
15209 &ett_smb2_query_info_flags
,
15210 &ett_smb2_server_notification
,
15211 &ett_smb2_fscc_refs_snapshot_query_delta_buffer
,
15214 static ei_register_info ei
[] = {
15215 { &ei_smb2_invalid_length
, { "smb2.invalid_length", PI_MALFORMED
, PI_ERROR
, "Invalid length", EXPFILL
}},
15216 { &ei_smb2_bad_response
, { "smb2.bad_response", PI_MALFORMED
, PI_ERROR
, "Bad response", EXPFILL
}},
15217 { &ei_smb2_bad_negprot_negotiate_context_count
, { "smb2.bad_negprot_negotiate_context_count", PI_MALFORMED
, PI_ERROR
, "Negotiate Protocol request NegotiateContextCount is nonzero without SMB 3.11 support", EXPFILL
}},
15218 { &ei_smb2_bad_negprot_negotiate_context_offset
, { "smb2.bad_negprot_negotiate_context_offset", PI_MALFORMED
, PI_ERROR
, "Negotiate Protocol request NegotiateContextOffset is nonzero without SMB 3.11 support", EXPFILL
}},
15219 { &ei_smb2_bad_negprot_reserved
, { "smb2.bad_negprot_reserved", PI_MALFORMED
, PI_ERROR
, "Negotiate Protocol response Reserved is nonzero", EXPFILL
}},
15220 { &ei_smb2_bad_negprot_reserved2
, { "smb2.bad_negprot_reserved2", PI_MALFORMED
, PI_ERROR
, "Negotiate Protocol response Reserved2 is nonzero", EXPFILL
}},
15221 { &ei_smb2_invalid_getinfo_offset
, { "smb2.invalid_getinfo_offset", PI_MALFORMED
, PI_ERROR
, "Input buffer offset isn't past the fixed data in the message", EXPFILL
}},
15222 { &ei_smb2_invalid_getinfo_size
, { "smb2.invalid_getinfo_size", PI_MALFORMED
, PI_ERROR
, "Input buffer length goes past the end of the message", EXPFILL
}},
15223 { &ei_smb2_empty_getinfo_buffer
, { "smb2.empty_getinfo_buffer", PI_PROTOCOL
, PI_WARN
, "Input buffer length is empty for a quota request", EXPFILL
}},
15224 { &ei_smb2_invalid_signature
, { "smb2.invalid_signature", PI_MALFORMED
, PI_ERROR
, "Invalid Signature", EXPFILL
}},
15225 { &ei_smb2_ntlmssp_sessionkey
, { "smb2.ntlmssp.sessionkey", PI_SECURITY
, PI_CHAT
, "NTLMSSP SessionKey", EXPFILL
}},
15228 expert_module_t
* expert_smb2
;
15230 /* SessionID <=> SessionKey mappings for decryption */
15233 static uat_field_t seskey_uat_fields
[] = {
15234 UAT_FLD_BUFFER(seskey_list
, id
, "Session ID", "The session ID buffer, coded as hex string, as it appears on the wire (LE)."),
15235 UAT_FLD_BUFFER(seskey_list
, seskey
, "Session Key", "The secret session key buffer, coded as 16-byte hex string."),
15236 UAT_FLD_BUFFER(seskey_list
, s2ckey
, "Server-to-Client", "The AES-128 key used by the client to decrypt server messages, coded as 16-byte hex string."),
15237 UAT_FLD_BUFFER(seskey_list
, c2skey
, "Client-to-Server", "The AES-128 key used by the server to decrypt client messages, coded as 16-byte hex string."),
15241 proto_smb2
= proto_register_protocol("SMB2 (Server Message Block Protocol version 2)",
15243 proto_register_subtree_array(ett
, array_length(ett
));
15244 proto_register_field_array(proto_smb2
, hf
, array_length(hf
));
15245 expert_smb2
= expert_register_protocol(proto_smb2
);
15246 expert_register_field_array(expert_smb2
, ei
, array_length(ei
));
15248 smb2_module
= prefs_register_protocol(proto_smb2
, NULL
);
15249 prefs_register_bool_preference(smb2_module
, "eosmb2_take_name_as_fid",
15250 "Use the full file name as File ID when exporting an SMB2 object",
15251 "Whether the export object functionality will take the full path file name as file identifier",
15252 &eosmb2_take_name_as_fid
);
15254 prefs_register_bool_preference(smb2_module
, "pipe_reassembly",
15255 "Reassemble Named Pipes over SMB2",
15256 "Whether the dissector should reassemble Named Pipes over SMB2 commands",
15257 &smb2_pipe_reassembly
);
15259 prefs_register_bool_preference(smb2_module
, "verify_signatures",
15260 "Verify SMB2 Signatures",
15261 "Whether the dissector should try to verify SMB2 signatures",
15262 &smb2_verify_signatures
);
15264 seskey_uat
= uat_new("Secret session key to use for decryption",
15265 sizeof(smb2_seskey_field_t
),
15266 "smb2_seskey_list",
15270 (UAT_AFFECTS_DISSECTION
| UAT_AFFECTS_FIELDS
),
15272 seskey_list_copy_cb
,
15273 seskey_list_update_cb
,
15274 seskey_list_free_cb
,
15277 seskey_uat_fields
);
15279 prefs_register_uat_preference(smb2_module
,
15281 "Secret session keys for decryption",
15282 "A table of Session ID to Session keys mappings used to decrypt traffic.",
15285 smb2_pipe_subdissector_list
= register_heur_dissector_list_with_description("smb2_pipe_subdissectors", "SMB2 Pipe data", proto_smb2
);
15287 * XXX - addresses_ports_reassembly_table_functions?
15288 * Probably correct for SMB-over-NBT and SMB-over-TCP,
15289 * as stuff from two different connections should
15290 * probably not be combined, but what about other
15291 * transports for SMB, e.g. NBF or Netware?
15293 reassembly_table_register(&smb2_pipe_reassembly_table
,
15294 &addresses_reassembly_table_functions
);
15296 smb2_tap
= register_tap("smb2");
15297 smb2_eo_tap
= register_tap("smb_eo"); /* SMB Export Object tap */
15299 register_srt_table(proto_smb2
, NULL
, 1, smb2stat_packet
, smb2stat_init
, NULL
);
15300 smb2_sessions
= wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), smb2_sesid_info_hash
, smb2_sesid_info_equal
);
15304 proto_reg_handoff_smb2(void)
15306 gssapi_handle
= find_dissector_add_dependency("gssapi", proto_smb2
);
15307 ntlmssp_handle
= find_dissector_add_dependency("ntlmssp", proto_smb2
);
15308 rsvd_handle
= find_dissector_add_dependency("rsvd", proto_smb2
);
15309 heur_dissector_add("netbios", dissect_smb2_heur
, "SMB2 over Netbios", "smb2_netbios", proto_smb2
, HEURISTIC_ENABLE
);
15310 heur_dissector_add("smb_direct", dissect_smb2_heur
, "SMB2 over SMB Direct", "smb2_smb_direct", proto_smb2
, HEURISTIC_ENABLE
);
15314 * Editor modelines - https://www.wireshark.org/tools/modelines.html
15317 * c-basic-offset: 8
15319 * indent-tabs-mode: t
15322 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
15323 * :indentSize=8:tabSize=8:noTabs=false:
