in both packets of a transaction.
this makes filters such as "smb.file==foo.txt" work much better since they now show both
the read/write request and also the response packets.
this is similar to what we already do in nfs for filehandles
svn path=/trunk/; revision=21856
put the filename, if known, on the fid expansion line
also place a "generated" fid in failed ntcreateandx so it is easier to
quickly see which file the ntcreateandx failed for
svn path=/trunk/; revision=21739
stuff to the UID tree unless it's UID stuff.
Also, as we appear to allow for null domain and account information in
dissect_smb_uid(), check for null information before trying to add it to
the top-level item.
svn path=/trunk/; revision=21597
Improve the tid tracking by putting the host/share information on the tid expansion line so one can see it without opening the expansion
svn path=/trunk/; revision=21547
dont try dcerpc reassembly of fragments if we dont have the entire pdu
only call the heuristical dissectors once from smb/pipe as per guy(?)s comments about idempotence.
when doing reassembly, the dcerpc dissector is indeed not idempotent any more.
svn path=/trunk/; revision=19304
The smb dissector displays lock requests in the "Locking AndX Request" as a vector of locks. It opens a tree branch
"Locks" and appends the locks to this branch. Instead of adding "Lock" objects to this branch it added "Unlock"
objects. Everything else is fine.
svn path=/trunk/; revision=19271
when files are opened using NTCreateAndX and if we recognize the type set the type field to either FILE, DIR or PIPE
This is useful to know when dissecting things like security descriptors since it tells us how to dissect the specific bits of the access mask.
Only do this for NTCreateAndX for now. It is trivial to add similar tracking to some of the older obsolete calls used to open fids but no clients ever use those old calls any more.
svn path=/trunk/; revision=18922
reuse the recent structure for fid->filename mappings since the problemspace is virtually the same
(go to tired of trying to find the sharename in 10mpacket traces with 1000s of shares)
svn path=/trunk/; revision=18516
This needs to be done for all other Create/Open calls as well but would notmally just be 6 lines tyo add.
I rarely see older methods to open files so others using older clients are encoraged to use these 6 lines to the other places where needed.
svn path=/trunk/; revision=18515
add an expansion to the fid that display which frame itr was opened in and when it was closed.
someone may want to add tracking of actual filenames here as well. i am not sure i need that feature myself so ...
svn path=/trunk/; revision=18512
The code was incorrectly bounds checking AndXOffset. AndXOffset is only
relevant when AndXCommand is not 0xFF. This patch corrects erroneous
"Malformed packet" exceptions.
svn path=/trunk/; revision=18015