Mark Muhlestein's code to support CIFS-atop-TCP (without the NetBIOS

Session Service).

svn path=/trunk/; revision=1832

AUTHORS

@@ -282,6 +282,10 @@ Andreas Sikkema <andreas.sikkema@philips.com> {
 	Fixes to capture file handling on Win32
 }
 
+Mark Muhlestein <mmm@netapp.com> {
+	CIFS-over-TCP support
+}
+
 Alain Magloire <alainm@rcsm.ece.mcgill.ca> was kind enough to
 give his permission to use his version of snprintf.c.
 

doc/ethereal.pod.template

@@ -838,6 +838,7 @@ B<http://ethereal.zing.org>.
   Paul Welchinski          <paul.welchinski@telusplanet.net>
   Doug Nazar               <nazard@dragoninc.on.ca>
   Andreas Sikkema          <andreas.sikkema@philips.com>
+  Mark Muhlestein          <mmm@netapp.com>
 
 Alain Magloire <alainm@rcsm.ece.mcgill.ca> was kind enough to give his
 permission to use his version of snprintf.c.

packet-nbns.c

@@ -4,7 +4,7 @@
  * Gilbert Ramirez <gram@xiexie.org>
  * Much stuff added by Guy Harris <guy@alum.mit.edu>
  *
- * $Id: packet-nbns.c,v 1.39 2000/04/08 07:07:29 guy Exp $
+ * $Id: packet-nbns.c,v 1.40 2000/04/12 20:43:45 guy Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@zing.org>
@@ -79,9 +79,19 @@ static int hf_nbss_flags = -1;
 static gint ett_nbss = -1;
 static gint ett_nbss_flags = -1;
 
+/* See RFC 1001 and 1002 for information on the first three, and see
+
+	http://www.cifs.com/specs/draft-leach-cifs-v1-spec-01.txt
+
+   Appendix B, and various messages on the CIFS mailing list such as
+
+	http://discuss.microsoft.com/SCRIPTS/WA-MSD.EXE?A2=ind9811A&L=cifs&P=R386
+
+   for information on the fourth. */
 #define UDP_PORT_NBNS	137
 #define UDP_PORT_NBDGM	138
 #define TCP_PORT_NBSS	139
+#define TCP_PORT_CIFS	445
 
 /* Packet structure taken from RFC 1002. See also RFC 1001.
  * Opcode, flags, and rcode treated as "flags", similarly to DNS,
@@ -1440,14 +1450,21 @@ static const value_string error_codes[] = {
 };
 
 /*
- * Dissect a single NBSS packet (there may be more than one in a given TCP
- * segment). Hmmm, in my experience, I have never seen more than one NBSS
- * in a single segment, since they mostly contain SMBs which are essentially
- * a request response type protocol (RJS). Also, a single session message 
- * may be split over multiple segments.
+ * Dissect a single NBSS packet (there may be more than one in a given
+ * TCP segment).
+ *
+ * [ Hmmm, in my experience, I have never seen more than one NBSS in a
+ * single segment, since they mostly contain SMBs which are essentially
+ * a request response type protocol (RJS). ]
+ *
+ * [ However, under heavy load with many requests multiplexed on one
+ * session it is not unusual to see multiple requests in one TCP
+ * segment. Unfortunately, in this case a single session message is
+ * frequently split over multiple segments, which frustrates decoding
+ * (MMM). ]
  */
 static int
-dissect_nbss_packet(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data)
+dissect_nbss_packet(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int max_data, int is_cifs)
 {
 	proto_tree	*nbss_tree = NULL;
 	proto_item	*ti;
@@ -1461,10 +1478,16 @@ dissect_nbss_packet(const u_char *pd, int offset, frame_data *fd, proto_tree *tr
 	int		name_type;
 
 	msg_type = pd[offset];
-	flags = pd[offset + 1];
-	length = pntohs(&pd[offset + 2]);
-	if (flags & NBSS_FLAGS_E)
-		length += 65536;
+
+	if (is_cifs) {
+		flags = 0;
+		length = pntohl(&pd[offset]) & 0x00FFFFFF;
+	} else {
+		flags = pd[offset + 1];
+		length = pntohs(&pd[offset + 2]);
+		if (flags & NBSS_FLAGS_E)
+			length += 65536;
+	}
 
 	if (tree) {
 	  ti = proto_tree_add_item(tree, proto_nbss, offset, length + 4, NULL);
@@ -1480,22 +1503,28 @@ dissect_nbss_packet(const u_char *pd, int offset, frame_data *fd, proto_tree *tr
 
 	offset += 1;
 
-	if (tree) {
-	  tf = proto_tree_add_item(nbss_tree, hf_nbss_flags, offset, 1, flags);
-	  field_tree = proto_item_add_subtree(tf, ett_nbss_flags);
-	  proto_tree_add_text(field_tree, offset, 1, "%s",
+	if (is_cifs) {
+		if (tree) {
+		  proto_tree_add_text(nbss_tree, offset, 3, "Length: %u", length);
+		}
+		offset += 3;
+	} else {
+		if (tree) {
+		  tf = proto_tree_add_item(nbss_tree, hf_nbss_flags, offset, 1, flags);
+		  field_tree = proto_item_add_subtree(tf, ett_nbss_flags);
+		  proto_tree_add_text(field_tree, offset, 1, "%s",
 			      decode_boolean_bitfield(flags, NBSS_FLAGS_E,
-						      8, "Add 65536 to length", "Add 0 to length"));
+							      8, "Add 65536 to length", "Add 0 to length"));
+		}
+		offset += 1;
+
+		if (tree) {
+		  proto_tree_add_text(nbss_tree, offset, 2, "Length: %u", length);
+		}
+
+		offset += 2;
 	}
 
-	offset += 1;
-
-	if (tree) {
-	  proto_tree_add_text(nbss_tree, offset, 2, "Length: %u", length);
-	}
-
-	offset += 2;
-
 	switch (msg_type) {
 
 	case SESSION_REQUEST:
@@ -1555,12 +1584,21 @@ dissect_nbss(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
 	guint16		length;
 	int		len;
 	int		max_data;
+	int		is_cifs;
 
 	msg_type = pd[offset];
-	flags = pd[offset + 1];
-	length = pntohs(&pd[offset + 2]);
-	if (flags & NBSS_FLAGS_E)
-		length += 65536;
+
+	if (pi.srcport == TCP_PORT_CIFS || pi.destport == TCP_PORT_CIFS) {
+		flags = 0;
+		length = pntohl(&pd[offset]) & 0x00FFFFFF;
+		is_cifs = TRUE;
+	} else {
+		flags = pd[offset + 1];
+		length = pntohs(&pd[offset + 2]);
+		if (flags & NBSS_FLAGS_E)
+			length += 65536;
+		is_cifs = FALSE;
+	}
 
 	/*
 	 * XXX - we should set this based on both "pi.captured_len"
@@ -1601,7 +1639,7 @@ dissect_nbss(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
 	}
 
 	while (max_data > 0) {
-		len = dissect_nbss_packet(pd, offset, fd, tree, max_data);
+		len = dissect_nbss_packet(pd, offset, fd, tree, max_data, is_cifs);
 		offset += len;
 		max_data -= len;
 	}
@@ -1716,4 +1754,5 @@ proto_reg_handoff_nbt(void)
   dissector_add("udp.port", UDP_PORT_NBNS, dissect_nbns);
   dissector_add("udp.port", UDP_PORT_NBDGM, dissect_nbdgm);
   dissector_add("tcp.port", TCP_PORT_NBSS, dissect_nbss);
+  dissector_add("tcp.port", TCP_PORT_CIFS, dissect_nbss);
 }