"dissect_nt_sec_desc()".
Also, get rid of code to handle lengths of -1 in "dissect_nt_sec_desc()"
- we never pass it a length of -1, as security descriptors aren't sent
over the wire with NDR syntax.
svn path=/trunk/; revision=5317
Remove the declaration of "dissect_nt_sid()" from
"packet-dcerpc-samr.c"; get it by including "packet-smb-common.h",
instead.
svn path=/trunk/; revision=5313
then later construct the sub-authority string from that array; we can
just construct the string as we fetch the sub-authorities.
Given that we're doing that, use the cleanup handler to free the string,
so that we don't leak memory if we throw an exception when fetching the
RID, for example.
svn path=/trunk/; revision=5294
values.
Note that in a Negotiate Protocol response, the primary domain won't be
present if the negotiated dialect isn't "DOS LANMAN 2.1" or "LANMAN2.1".
At least for Info Standard replies for Transaction2 Find First2
requests, if the request had the "return resume keys" flag set, the
reply will have a resume key at the beginning of each entry. We assume
that to be the case for Info Query EA Size and Info QUery EAs From List;
it does *not* appear to be the case for Find File Directory Info, Find
File Full Directory Info, or Find File Both Directory Info (they don't
have it even if the flag is set, at least in the captures I've seen).
The length of the name string in Find First2 entries doesn't include the
terminating '\0'; count that as well.
svn path=/trunk/; revision=5259
inside a Netlogon security descriptor.
Correctly dissect NT security descriptors as they appear inside an LSA
security descriptor (at least as those appear inside a Netlogon security
descriptor) - they get sent over the wire, apparently, as an opaque blob
from the point of view of DCE RPC, at least from one capture I've seen,
they do *not* get sent over the wire in DCE RPC NDR syntax.
svn path=/trunk/; revision=5212
top-level item correspond to the reassembled data, and make the item for
each fragment/segment correspond to the part of that reassembled data
that came from that fragment/segment.
svn path=/trunk/; revision=5025
that a country code of 0 is for the "default", presumably meaning "don't
override the setting on the desktop machine" or something such as that.
svn path=/trunk/; revision=5015
traffic or not, that data doesn't include the padding; handle padding
if you're dissecting it as DCERPC traffic.
Don't treat the traffic as DCERPC traffic unless it's to the IPC$ share.
svn path=/trunk/; revision=4956
is non-null, as there's no guarantee that the corresponding SMB request
is in the capture. Check whether it's null before using it.
svn path=/trunk/; revision=4954
I have captures with w2k speaking DCERPC without using the normal
Transaction named pipes SMBs.
Instead DCERPC is just implemented ontop of ordinary read/write calls.
The smb dissector now examines TreeConnectAndX and stores the conversation/tid/type-of-share in a table for later access.
All SMB requests examine that hash table to find out if TID in the header refers
to a normal share or an IPC$ share.
Initial support in read/write SMB calls to detect if the operations are for an
IPC share and thus it assumes it must be DCERPC commands in the payload.
Desegmentation/Reassembly of these types of calls are not implemented yet.
svn path=/trunk/; revision=4952
there's a space after the colon, and so that there's no extra comma at the
end and only one space between the items.
Fix a typo.
svn path=/trunk/; revision=4940
Guy Harris