the result of "g_hash_table_lookup()" to an integer until you've
determined that it's not a null pointer, i.e. that the lookup
succeeded).
svn path=/trunk/; revision=4623
"Large Serial Number" as a 64-bit little-endian integer, and dissect the
"NT Date/Time" as a FILETIME by calling "dissect_smb_64bit_time()".
Export "dissect_smb_64bit_time()" so that we can do so.
svn path=/trunk/; revision=4609
"epan/..." pathnames, so as to avoid collisions with header files in any
of the directories in which we look (e.g., "proto.h", as some other
package has its own "proto.h" file which it installs in the top-level
include directory).
Don't add "-I" flags to search "epan", as that's no longer necessary
(and we want includes of "epan" headers to fail if the "epan/" is left
out, so that we don't re-introduce includes lacking "epan/").
svn path=/trunk/; revision=4586
items to the protocol tree; it's interpreted as "the rest of the data in
the tvbuff". This can be used if
1) the item covers the entire packet or the remaining payload in
the packet
or
2) the item's length won't be known until it's dissected, and
will be then set with "proto_item_set_len()" - if an
exception is thrown in the dissection, it means the item ran
*past* the end of the tvbuff, so saying it runs to the end of
the tvbuff is reasonable.
Convert a number of "proto_tree_add_XXX()" calls using
"tvb_length_remaining()", values derived from the result of
"tvb_length()", or 0 (in the case of items whose length is unknown) to
use -1 instead (using 0 means that if an exception is thrown, selecting
the item highlights nothing; using -1 means it highlights all the data
for that item that's available).
In some places where "tvb_length()" or "tvb_length_remaining()" was used
to determine how large a packet is, use "tvb_reported_length()" or
"tvb_reported_length_remaining()", instead - the first two calls
indicate how much captured data was in the packet, the latter two calls
indicate how large the packet actually was (and the fact that using the
latter could cause BoundsError exceptions to be thrown is a feature - if
such an exception is thrown, the frame really *was* short, and it should
be tagged as such).
Replace some "proto_tree_add_XXX()" calls with equivalent
"proto_tree_add_item()" calls.
Fix some indentation.
svn path=/trunk/; revision=4578
"dissect_frame()" to indicate whether a ReportedBoundsError was due to
the packet being malformed (i.e., the packet was shorter than it's
supposed to be, so the dissector went past the end trying to extract
fields that were supposed to be there) or due to it not being
reassembled (i.e., the packet was fragmented, and we didn't reassemble
it, but just treated the first fragment as the entire packet, so the
dissector went past the end trying to extract fields that were partially
or completely in fragments after that). Mark the latter as being
unreasembled rather than malformed.
Properly initialize, save, and restore that field, and properly set it,
so that works.
svn path=/trunk/; revision=4555
the beginning, and to use underscores rather than periods where the
preference's name really isn't part of a hierarchical namespace.
Use "%u" rather than "%d" to print unsigned quantities.
svn path=/trunk/; revision=4543
response, don't assume that we saw the request and therefore that
"si->sip" is non-null - we might well not have seen the request and thus
might not have set "si->sip".
svn path=/trunk/; revision=4542
CIFS draft spec speaks of both being used:
The multiplex ID (Mid) is used along with the Pid to allow
multiplexing the single client and server connection among the
client's multiple processes, threads, and requests per thread.
Clients may have many outstanding requests (up to the negotiated
number, MaxMpxCount) at one time. Servers MAY respond to
requests in any order, but a response message MUST always
contain the same Mid and Pid values as the corresponding request
message. The client MUST NOT have multiple outstanding requests
to a server with the same Mid and Pid.
and I have seen a capture where more than one PID is used on a given
connection and where the same MID is used with two different PIDs.
Get rid of the "mid" field in the "smb_info_t" structure - the MID is
not used outside "dissect_smb()".
svn path=/trunk/; revision=4495
DOS error codes to the table of them, and exporting that table to other
dissectors for protocols using DOS error codes.
svn path=/trunk/; revision=4470
Clean up the display of the access control list entry flags.
Treat the access control list entry mask bits as NT permission bits (as
that's what they are).
svn path=/trunk/; revision=4420
structure to the "packet_info" structure; only stuff that's permanently
stored with each frame should be in the "frame_data" structure, and the
"column_info" structure is not guaranteed to hold the column values for
that frame at all times - it was only in the "frame_data" structure so
that it could be passed to dissectors, and, as all dissectors are now
passed a pointer to a "packet_info" structure, it could just as well be
put in the "packet_info" structure.
That saves memory, by shrinking the "frame_data" structure (there's one
of those per frame), and also lets us clean up the code a bit.
svn path=/trunk/; revision=4370
add "dissect_ndr_ctx_hnd()" for dissecting context handles, and
use it in various DCERPC dissectors;
beef up the MS Security Account Manager dissector.
Also, export "NT_errors[]" for use by that dissector.
svn path=/trunk/; revision=4350
you're doing NetBIOS-over-TCP (yes, I've seen that, with one response
being a Transaction and the other being a Read and X), so the frame
number is insufficient as a key in the hash table of matched
request/response pairs; use the frame number and the MID.
svn path=/trunk/; revision=4344
1. Changes how can_desegment works so that can_desegment is
only != 0 for whichever dissector is running immediately on
top of whoever offers the can_desegment service.
Thus DCERPC needs no special handling to see if it can trust
can_desegment (which is currently only available ontop of TCP
and not ontop of tcp->nbss->smb).
2. Changes fragment reassembly of transaction smb to only show
the defragmented packet for the transaction smb holding the
first fragment.
To see why, test it with a transaction SMB containing a ~60kb
PDU or larger. The old behaviour had approximately quadratic
behaviour regarding runtime for dissecting such PDUs.
(example: NetShareEnum is a command which can grow really really
large if the number of shares and comments are large)
svn path=/trunk/; revision=4296
"smb_saved_info_t" in the table of requests whose replies have been
found, don't look it up in the table of requests whose replies have not
been found - if the request in question has no reply in the capture,
that may find some later frame in the same conversation with the same
MID, and we don't need that information anyway - the only reason we
*need* that structure is to save information in it for use when
processing its reply, and we already did that the first time we
processed the request. (The information for the later frame may be bad,
e.g. having a null "extra_info" pointer, or having one that points to
information for another request.)
Arrange that we don't use the pointer to the "smb_saved_info_t" when
processing a request except to save information if the request hasn't
already been processed, as that pointer may not be valid if the request
has already been processed, as per the above.
svn path=/trunk/; revision=4292
Add some checks for null tvbuff arguments.
When dissecting transaction setup, parameters, and data when we couldn't
dissect it as a pipe or mailslot transaction, use the reported length of
the supplied tvbuff, not the actual length, as the amount of data
present.
svn path=/trunk/; revision=4291
don't have the frame number of the request, which we use as the ID of
the transaction being reassembled. (If we're reassembling a reply,
should we not use the frame number of the reply instead? We used to
have a hash table to keep track of that, so we might just be able to
bring it back....)
svn path=/trunk/; revision=4274
Add a few small functions to reassemble.c to cope with protocols
where the total length of defragmented PDUs are specified in the
first fragment (all previous uses of reassembly has been for
PDUs where the last fragment is signalled by a flag in the
header for the last fragment).
Add a few small functions to reassemble.c to abort-and-delete
defragmentation of PDUs and also detect IF a PDU is currently
being defragmented. (Useful for PDUs where the "unique"
identifier is rather ununique, or may be reused often enough so
it can be a problem for Ethereal.)
Change where NT Cancel presents its Cancelation-to output, and
makes the three trans secondary requests also output similar
information.
svn path=/trunk/; revision=4255
#defines for SMB commands with ones that use the names from the SNIA
CIFS spec.
Use those #define values rather than hardcoded values in various places
that check for specific commands.
svn path=/trunk/; revision=4244
routines used for that.
Rename some named pipe functions as per the SNIA CIFS spec.
Label the "number of files moved" field of the reply to a Move SMB as
such, rather than as an unspecified "Count".
svn path=/trunk/; revision=4229
obviates the need to have a protocol tree item for "MSRPC-over-SMB", as
the setup words for it are just standard TransactNmPipe setup words
(0x26 is the TransactNmPipe function code, and the next setup word is
the FID for the pipe in question.)
Pass to the pipe dissector tvbuffs for setup-words-plus-pipe (which is
the data for the pipe protocol) and parameters-plus-data (which is the
data for the protocol running atop the pipe protocol); use the former
for the top-level protocol tree item for the pipe protocol, and the
latter for the top-level protocol tree item for the LANMAN protocol.
svn path=/trunk/; revision=4223
mailslot-based logon protocols just be regular register routines,
detected by the script that generates the "register.c" file, rather than
special stuff known to the SMB dissector.
svn path=/trunk/; revision=4222
"dissect_pipe_smb()", a tvbuff containing the setup words and the
pipe/mailslot pathname, as those are arguably the part of the packet
that contains the "mailslot protocol" and the "pipe protocol", as
opposed to the protocol running atop mailslots or pipes.
Pass a setup tvbuff to "dissect_pipe_smb()" for it to pass on to the
MSRPC-over-named-pipe dissector, and have the setup tvbuff passed to it
and "dissect_mailslot_smb()" contain *only* the setup words; don't
extract anything other than the setup words from it.
Declare "register_proto_smb_mailslot()" in "packet-smb-mailslot.h"
rather than "packet-smb.c", and declare "register_proto_smb_pipe()" in
"packet-smb-pipe.h" rather than "packet-smb.c".
Add a protocol for MSRPC-over-named-pipes.
Move the stuff to handle the FID in the setup words of
MSRPC-over-named-pipe transactions out of the SMB Transaction dissector
into the MSRPC dissector. Add a routine to "packet-smb.c", callable
from outside "packet-smb.c", to put an "smb.fid" field into the protocol
tree, and to add ", FID: XXXX" to the Info column, for use by the
MSRPC-over-named-pipe dissector; use it in the SMB dissector as well, in
all the places where we put a FID into the protocol tree.
Move the stuff to check whether the LANMAN protocol is enabled, and to
set "pinfo->current_proto" to "LANMAN" if it is, into the LANMAN
API-over-named-pipe dissector out of the named pipe protocol dissector.
If we didn't dissect a Transaction request or reply as a named pipe or
mailslot message, put any setup words, parameters, and data it has into
the protocol tree as separate items.
Don't put a "Response in" item into the protocol tree for an NT Cancel
request, as there are no responses to NT Cancel requests.
svn path=/trunk/; revision=4221
display the returned FID in the Info column for NT Create And X
replies;
display the setup words, and treat the second word as a FID in
Transaction requests presumed to contain DCE RPC-over-SMB.
Add the FID to the Info column for other open/create replies while we're
at it.
svn path=/trunk/; revision=4219
structure, so that it can be updated by subdissectors; this way the
updates affect the structure immediately, and don't get lost if the
subdissector later throws an exception.
Use "tvb_reported_length()" to check for an interim mailslot reply;
"tvb_length()" could give the wrong answer if a short snapshot length
was given in the capture.
svn path=/trunk/; revision=4218
"smb_saved_info_t". Put all the information needed to dissect NT
Transaction replies, Transaction2 replies, or Transaction replies into
separate data structures, allocated separately, and put a pointer to
that data structure in the "void *" in question.
Use the return value of "dissect_pipe_smb()" and
"dissect_mailslot_smb()" to control whether to display as data the stuff
those routines were asked to dissect.
If we've seen a request before, but its "smb_saved_info_t" isn't in the
"matched" hash table, look in the "unmatched" hash table - perhaps we
haven't seen the reply yet.
svn path=/trunk/; revision=4216
Guy Harris