some extra info levels discovered by tridge.
Put subcommand information in COL_INFO for trans2 query fs/path/file
info.
svn path=/trunk/; revision=8011
so it is pretty common for MID values to be reused even in
moderately sized captures.
The test to compare that the command type between the request
and reply is not sufficient for when most of the commands between the client
and the server are the same (e.g. streaming Read/Write)
Change the matching so that ONLY the first "response" we see for a certain
open MID will be matched to the original request.
I.e. Prevent
Read Request
Read Reply
[missing from capture] Read Request
Read Reply
From incorrectly matching the second reply (if it has a reused MID) with the
first request.
This makes the response time statistics a bit more reliable as well.
svn path=/trunk/; revision=7888
tvb_get_string() - takes a tvbuff, an offset, and a length as
arguments, allocates a buffer big enough to hold a string with
the specified number of bytes plus an added null terminator
(i.e., length+1), copies the specified number of bytes from the
tvbuff, at the specified offset, to that buffer and puts in a
null terminator, and returns a pointer to that buffer (or throws
an exception before allocating the buffer if that many bytes
aren't available in the tvbuff);
tvb_get_stringz() - takes a tvbuff, an offset, and a pointer to
a "gint" as arguments, gets the size of the null-terminated
string starting at the specified offset in the tvbuff (throwing
an exception if the null terminator isn't found), allocates a
buffer big enough to hold that string, copies the string to that
buffer, and returns a pointer to that buffer and stores the
length of the string (including the terminating null) in the
variable pointed to by the "gint" pointer.
Replace many pieces of code allocating a buffer and copying a string
with calls to "tvb_get_string()" (for one thing, "tvb_get_string()"
doesn't require you to remember that the argument to
"tvb_get_nstringz0()" is the size of the buffer into which you're
copying the string, which might be the length of the string to be copied
*plus 1*).
Don't use fixed-length buffers for null-terminated strings (even if the
code that generates those packets has a #define to limit the length of
the string). Use "tvb_get_stringz()", instead.
In some cases where a value is fetched but is only used to pass an
argument to a "proto_tree_add_XXX" routine, use "proto_tree_add_item()"
instead.
svn path=/trunk/; revision=7859
reflect the 1.0 version of the CIFS spec. Similarly update function
names containing section numbers.
Change the strings for query file levels 0x0200 and 0x0201 to say
"Query" rather than "Set" (we now have separate tables for "query" and
"set" information levels, as some of them differ), and get rid of the
string for 0x0202, as that's documented in the CIFS spec only as a "set"
level.
svn path=/trunk/; revision=7810
according to the SNIA CIFS 1.0 spec and some captures I've seen, are not
the same as for the corresponding TRANS2_GET_{PATH,FILE}_INFORMATION.
Handle the SET information levels as per the CIFS spec.
svn path=/trunk/; revision=7806
multiple NetBIOS-over-TCP session service messages in a TCP segment, and
they can contain the final portions of different DCERPC calls. Don't
assume a frame number is sufficient to identify DCE RPC calls.
svn path=/trunk/; revision=7777
given a tvbuff/offset pair referring to the byte past the end of the
item. Use it in one place in the SMB dissector (there are plenty of
other places where it could be used as well).
svn path=/trunk/; revision=7603
instead of passing them around as separate parameters. This is a
prelude to adding generic and standard mapping to the access mask
dissection.
svn path=/trunk/; revision=7591
null) to the "fragment_items" structure, and don't pass that value into
"process_reassembled_data()", just have it use the value in the
"fragment_items" structure passed to it.
Make "process_reassembled_data()" capable of handling reassembly done by
"fragment_add_seq_check()", and use it in the ATP and 802.11 dissectors;
give them "reassembled_in" fields. Make "process_reassembled_data()"
handle only the case of a completed reassembly (fd_head != NULL) so that
we can use it in those dissectors without gunking the code up too much.
svn path=/trunk/; revision=7513
read/write data that might, or might not, be DCE RPC information on a
pipe, and use that routine rather than duplicating similar code in
multiple places.
svn path=/trunk/; revision=7455
To test whether a single bit is set, just do "if (mode&bit)", not
"if ((mode&bit)==bit)".
In the places where read and write data is processed, have both a
comment indicating that it's file data and that you can transport DCERPC
over SMB just with reads and writes, to indicate why we may call the
DCERPC-over-a-pipe dissector.
svn path=/trunk/; revision=7450
the call to initialize it; move the call to initialize it to the
registration routine for the dissector that uses it, move the definition
of ""dcerpc_fragment_table" to packet-smb-pipe.c, make it static, and
remove the declaration of it from smb.h.
Add some casts to squelch compiler complaints.
svn path=/trunk/; revision=7449
Move the actual reassembly to packet-smb-pipe.c instead of having it inside
the packet-smb.b/Write_andX and ReadAndX dissectors.
Change the dissector to only call dcerpc dissector from the packet where
reassembly was completed instead of always from the first fragment.
Add display fiulter field for the other fragments that display which frame the dcerpc pdu was reassembled in.
This is needed in order to be able to reassemble the type of dcerpc fragments
that are sent between nt4 dc's.
The DCERPC fragment reassembly in the dcerpc layer is still broken though, and
i think it has been broken for quite some time. That will be addressed shortly.
svn path=/trunk/; revision=7445
Make the dissector decode the first two bytes of the security descriptor as
one byte for the revision and the second byte as nothing/should be zero.
svn path=/trunk/; revision=7436
WriteAndX request should have a full complement of word parameters, but,
just in cast it doesn't....
(Should we somehow arrange to throw an exception if there aren't enough
word or byte parameters in SMBs, i.e. impose a minimum in some cases?)
svn path=/trunk/; revision=7430
If both mode bits MessageStart and WriteRaw are set, then the first two bytes of the byte-field is the total length of the data written to the pipe.
svn path=/trunk/; revision=7428
This feature, when enabled through Edit/preferences/protocols/smb,
will look at certain SMB and CIFS related protocols to discover the
mapping between SIDs and their Names.
For those SIDs whose name has been snooped/discovered ethereal will
also add "(<name>)" to the end of the SID when printed in the tree pane
through the function dissect_nt_sid().
Currently the feature is not too exciting since the only thing that packet-smb-sidsnooping.c will look at to build this mapping table is
replies to the LSA/QueryInfoPolicy infolevel 3 packets and thus
discover mappings between a Domain SID and a Domain Name.
In the near future this future will be enhanced to also look at more interesting calls such as LSA/LookupSIDs2 and similar.
svn path=/trunk/; revision=7362
we're at it, avoid going past the end of a packet. Put the ACE type's
hex value into that line if it's an unknown type.
svn path=/trunk/; revision=7144
guaranteed to be aligned on a 4-byte boundary, so, if we're not
dissecting an ACE from a DCE RPC request or reply, don't use
"dissect_ndr_uint32()" to extract the access mask. (Is it guaranteed to
be so aligned even if the ACE is part of a DCE RPC message? Or are ACLs
just opaque blobs from the point of view of DCE RPC?)
Use "%u", not "%d", to print unsigned quantities.
svn path=/trunk/; revision=7106