be done on flows from one address to another; reassembly for protocols
running atop TCP should be done on flows from one TCP endpoint to
another.
We do this by:
adding "reassembly table" as a data structure;
associating hash tables for both in-progress reassemblies and
completed reassemblies with that data structure (currently, not
all reassemblies use the latter; they might keep completed
reassemblies in the first table);
having functions to create and destroy keys in that table;
offering standard routines for doing address-based and
address-and-port-based flow processing, so that dissectors not
needing their own specialized flow processing can just use them.
This fixes some mis-reassemblies of NIS YPSERV YPALL responses (where
the second YPALL response is processed as if it were a continuation of
a previous response between different endpoints, even though said
response is already reassembled), and also allows the DCE RPC-specific
stuff to be moved out of epan/reassembly.c into the DCE RPC dissector.
svn path=/trunk/; revision=48491
Added functionality:
- SMB2 support for Export->Objects->SMB
- support for SMB_COM_CREATE, SMB_COM_OPEN, SMB_COM_READ and SMB_COM_WRITE commands
- Ability to choose between File Id and full file name as identifier for file re-building. Implemented as an option under Edit->Preferences->Protocols->SMB and Edit->Preferences->Protocols->SMB2.
Other minor changes and fixes:
- Full filename in file
- Inclusion of IP of SMB server when treeid name (i.e. hostname) is not known
- UTF-8 filenames encoding before passing them to Export Object Window
- Re-written insert_chunk function of export_object_smb.c to make it easier to debug
- Fixed of an error in insert_chunk function of export_object_smb.c (the verification of next free_chunk was always skipped after deleting one free_chunk).
- Removed duplicated code by inserting the function feed_eo_smb in packet-smb.c and packet-smb2.c
- Changed the label of Export->Objects->SMB menu into Export->Objects->SMB/SMB2
svn path=/trunk/; revision=48210
tvbuff and runs to the end of the tvbuff? Let me count the ways....
Replace a bunch of different ways of doing that (some incorrect, in that
they're not properly handling tvbuffs where the captured and reported
lengths are different) with tvb_new_subset_remaining().
svn path=/trunk/; revision=47751
packet-smb.c does not handle truncated frames well when dealing with TRANS2 FIND_{FIRST/NEXT} responses
The current code simply throws an exception if any of the expected data is
missing, even though there might be several file's worth of data available.
I will attach a patch that does a better job of handling truncated frames in
such cases.
svn path=/trunk/; revision=45480
packet-smb.c does not correctly dissect INFO_QUERY_EAS_FROM_LIST
[MS-CIFS].pdf makes it clear that, contrary to what packet-smb.c says, handling
the response to a TRANS2/FIND_{FIRST,NEXT} with a level of
INFO_QUERY_EAS_FROM_LIST is not the same as handling INFO_QUERY_EA_SIZE.
svn path=/trunk/; revision=45479
The reassembled fragments tree in the Packet Details view is awesome, but it
lacks one thing: a field that exposes the reassembled data.
tcp.data already exists for exposing a single TCP segment's payload as a byte
array. It would be handy to have something similar for a single application
layer PDU when TCP segment reassembly is involved. I propose
tcp.reassembled.data, named and placed after the already existing field
tcp.reassembled.length.
My primary use case for this feature is outputting tcp.reassembled.data with
tshark for further processing with a script.
The attached patch implements this very feature. Because the reassembled
fragment tree code is general purpose, i.e. not specific to just TCP, any
dissector that relies upon it can add a similar field very cheaply. In that
vein I've also implemented ip.reassembled.data and ipv6.reassembled.data, which
expose reassembled fragment data as a single byte stream for IPv4 and IPv6,
respectively. All other protocols that use the reassembly code have been left
alone, other than inserting NULL into their initializer lists for the newly
introduced struct field reassemble.h:fragment_items.hf_reassembled_data.
svn path=/trunk/; revision=44802
Also (for a few files):
- create/use some extended value strings;
- remove unneeded #include files;
- remove unneeded variable initialization;
- re-order fcns slightly so prefs_reg_handoff...() at end, etc
svn path=/trunk/; revision=44438
Valgrind log:
= 2,656 (640 direct, 2,016 indirect) bytes in 40 blocks are definitely lost in loss record 41,241 of 41,608
= at 0x4C26ABB: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
= by 0xC5B0574: g_malloc (in /usr/lib64/libglib-2.0.so.0.2800.8)
= by 0xC5C94DF: g_slice_alloc (in /usr/lib64/libglib-2.0.so.0.2800.8)
= by 0xC5CA5ED: g_slist_insert_sorted (in /usr/lib64/libglib-2.0.so.0.2800.8)
= by 0x697E8B8: dissect_smb_fid (packet-smb.c:3499)
svn path=/trunk/; revision=44067
1. If there's no character encoding (ENC_ASCII, ...) specified
then use ENC_ASCII.
2. For all but FT_UINT_STRING, always use ENC_NA
(replacing any existing True/1/FALSE/0
/ENC_BIG_ENDIAN/ENC_LITTLE_ENDIAN).
svn path=/trunk/; revision=39426
FT_NONE
FT_BYTES
FT_IPV6
FT_IPXNET
FT_OID
Note: Encoding field set to ENC_NA only if the field was previously TRUE|FALSE|ENC_LITTLE_ENDIAN|ENC_BIG_ENDIAN
svn path=/trunk/; revision=39260
names beginning with dissect_qspi_, and give some of them names with the
info level structure in them rather than the SNIA CIFS specification
section number.
Have separate routines for SMB_INFO_STANDARD and SMB_INFO_QUERY_EA_SIZE;
SMB_INFO_STANDARD is specified differently in the SNIA CIFS
specification and the MS-CIFS specification, and some captures have the
SNIA CIFS version, with the EA length and some have the MS-CIFS version
without it. The dissector for SMB_INFO_STANDARD will dissect it if it's
there and not say "this structure is truncated" if it's not there.
Rename dissect_qfi_SMB_FILE_ALTERNATE_NAME_INFO() to
dissect_qfi_SMB_FILE_NAME_INFO(), as it also dissects
SMB_QUERY_FILE_NAME_INFO.
Merge the dissectors for SMB_FILE_ALLOCATION_INFO and
SMB_SET_FILE_ALLOCATION_INFO, and for SMB_FILE_END_OF_FILE_INFO and
SMB_SET_FILE_END_OF_FILE_INFO, as the structures are the same.
Dissect some presumed "passthrough info levels" the same way the
corresponding official SMB infos are dissected.
Expand some comments for info level dissectors to give the MS-CIFS
section number and to give some other details.
If an info level is truncated, put in an expert info error.
If we don't know about a given info level, just dissect the body as
"Information level unknown", rather than having it dissected as an
"unknown information" trailer.
svn path=/trunk/; revision=37297
include packet-smb.h in packet-smb.c so that we check the declarations
against the definitions.
In query ops, info level 2 is Query EA Size, not Query EAs From List.
In set ops, info level 2 is Set EAs, not Query EA Size.
Expand the constants for the Trans2 subcodes to 16 bits.
The tvb argument to dissect_find_file_unix_info2() is used.
svn path=/trunk/; revision=37286
Get rid of null-pointer tests for t2i in the "not null" branch of an
earlier test whether it's null, as those tests are redundant.
Use a switch statement to check the subcommand for Trans2.
If t2i->info_level is -1, it means we don't know the info level, for
whatever reason (e.g., the request was cut short by the snapshot length
before the info level). Report it as such.
svn path=/trunk/; revision=37183
and Set File.
Add Query and Set File Unix Info2; use common code to dissect the Unix
Info2 structure. Use common code for Unix Basic, while we're at it.
svn path=/trunk/; revision=37138
