From Tim Potter: NT SID dissection.

Don't label the SID in an ACE as an "NT SID SID", label it as an "NT ACE SID". svn path=/trunk/; revision=4607
2002-01-25 08:02:01 +00:00 · 2002-01-25 08:02:01 +00:00 · 7f0ef5ec87
parent 886b4994ec
commit 7f0ef5ec87
4 changed files with 28 additions and 34 deletions
--- a/1
+++ b/1
@ -938,6 +938,7 @@ Tim Potter <tpot[AT]samba.org> {
 	Use the FID, for DCE RPC-over-SMB, as part of the conversation
 	   matching
 	Assorted SMB fixes
+	NT SID dissection
 }

 Raghu Angadi <rangadi[AT]inktomi.com> {
--- a/packet-smb-common.h
+++ b/packet-smb-common.h
@ -2,7 +2,7 @@
 * Routines for smb packet dissection
 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
 *
- * $Id: packet-smb-common.h,v 1.5 2002/01/21 07:36:42 guy Exp $
+ * $Id: packet-smb-common.h,v 1.6 2002/01/25 08:02:01 guy Exp $
 *
 * Ethereal - Network traffic analyzer
 * By Gerald Combs <gerald@ethereal.com>
@ -58,4 +58,6 @@ int display_unicode_string(tvbuff_t *tvb, packet_info *pinfo,

 int display_ms_string(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_index);

+int dissect_nt_sid(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name);
+
 #endif
--- a/packet-smb-logon.c
+++ b/packet-smb-logon.c
@ -2,7 +2,7 @@
 * Routines for SMB net logon packet dissection
 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
 *
- * $Id: packet-smb-logon.c,v 1.22 2002/01/24 09:20:51 guy Exp $
+ * $Id: packet-smb-logon.c,v 1.23 2002/01/25 08:02:01 guy Exp $
 *
 * Ethereal - Network traffic analyzer
 * By Gerald Combs <gerald@ethereal.com>
@ -60,7 +60,6 @@ static int hf_flags_password_required = -1;
 static int hf_flags_homedir_required = -1;
 static int hf_flags_enabled = -1;
 static int hf_domain_sid_size = -1;
-static int hf_domain_sid = -1;
 static int hf_low_serial = -1;
 static int hf_pulse = -1;
 static int hf_random = -1;
@ -483,10 +482,11 @@ dissect_announce_change(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int
 	offset += 4;

 	if (domain_sid_size != 0) {
+		/* Align to four-byte boundary */
+		offset = ((offset + 3)/4)*4;
+
 		/* Domain SID */
-		proto_tree_add_item(tree, hf_domain_sid, tvb, offset,
-		    domain_sid_size, TRUE);
-		offset += domain_sid_size;
+		offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Domain");
 	}

 	/* NT version */
@ -534,23 +534,11 @@ dissect_smb_sam_logon_req(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i
 	offset += 4;

 	if (domain_sid_size != 0) {
-		/* Domain SID */
-		proto_tree_add_item(tree, hf_domain_sid, tvb, offset,
-		    domain_sid_size, TRUE);
-		offset += domain_sid_size;
-
-		/* XXX - at least one packet appears to put the NT version on
-		   a 4-byte boundary, with padding after the domain SID, at
-		   least according to Network Monitor.
-
-		   However, another frame, with a zero-length domain SID,
-		   doesn't do any padding, and other packets don't appear
-		   to put the NT version of a 4-byte boundary, so maybe
-		   the padding comes *before* the domain SID, and NetMon
-		   is just confused?  (NetMon has been known to misdissect
-		   SMB packets, even though, err, umm, NetMon comes from
-		   the people who are adding all this stuff to SMB....) */
+		/* Align to four-byte boundary */
 		offset = ((offset + 3)/4)*4;
+
+		/* Domain SID */
+		offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Domain");
 	}
 	
 	/* NT version */
@ -971,10 +959,6 @@ proto_register_smb_logon( void)
 			{ "Domain SID Size", "netlogon.domain_sid_size", FT_UINT32, BASE_DEC,
 			  NULL, 0, "NETLOGON Domain SID Size", HFILL }},

-		{ &hf_domain_sid,
-			{ "Domain SID", "netlogon.domain_sid", FT_BYTES, BASE_NONE,
-			  NULL, 0, "NETLOGON Domain SID", HFILL }},
-
 		{ &hf_low_serial,
 			{ "Low Serial Number", "netlogon.low_serial", FT_UINT32, BASE_DEC,
 			  NULL, 0, "NETLOGON Low Serial Number", HFILL }},
--- a/packet-smb.c
+++ b/packet-smb.c
@ -3,7 +3,7 @@
 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
 * 2001  Rewrite by Ronnie Sahlberg and Guy Harris
 *
- * $Id: packet-smb.c,v 1.197 2002/01/21 07:36:42 guy Exp $
+ * $Id: packet-smb.c,v 1.198 2002/01/25 08:02:01 guy Exp $
 *
 * Ethereal - Network traffic analyzer
 * By Gerald Combs <gerald@ethereal.com>
@ -6318,7 +6318,7 @@ dissect_security_information_mask(tvbuff_t *tvb, packet_info *pinfo, proto_tree
 	return offset;
 }

-static int
+int
 dissect_nt_sid(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name)
 {
 	proto_item *item = NULL;
@ -6351,11 +6351,20 @@ dissect_nt_sid(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent
 	     a new FT_xxx thingie? SMB is quite common!*/
 	  /* identifier authorities */
 	  strp=str;
-	  *strp=0;
+	  strcpy(strp, "S-1-");
+
+	  proto_tree_add_text(tree, tvb, offset, 6, "Authorities");
+
 	  for(i=0;i<6;i++){
-	    sprintf(strp,"%s%d-",strp,tvb_get_guint8(tvb, offset));
+	    guint8 auth = tvb_get_guint8(tvb, offset);
+
+	    if (auth > 0)
+	      sprintf(strp,"%s%d-",strp, auth);
 	    offset++;
 	  }
+
+	  proto_tree_add_text(tree, tvb, offset, num_auth * 4, "Sub-authorities");
+
 	  /* sub authorities */
 	  for(i=0;i<num_auth;i++){
 	    /* XXX should not be letohl but native byteorder according to
@ -6368,9 +6377,7 @@ dissect_nt_sid(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent
 	  /* strip trailing '-'*/
 	  str[strlen(str)-1]=0;

-	  proto_tree_add_text(tree, tvb, offset-6-num_auth*4, 6+num_auth*4, "SID: %s", str);
-	  proto_item_append_text(item, ": %s", str);
-  
+	  proto_item_append_text(item, ": %s", str);  
 	}

 	proto_item_set_len(item, offset-old_offset);
@ -6497,7 +6504,7 @@ dissect_nt_v2_ace(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *par
 	offset = dissect_nt_access_mask(tvb, pinfo, tree, offset);

 	/* SID */
-	offset = dissect_nt_sid(tvb, pinfo, offset, tree, "SID");
+	offset = dissect_nt_sid(tvb, pinfo, offset, tree, "ACE");

 	proto_item_set_len(item, offset-old_offset);
 	return offset;