Wireshark · Ethereal-dev: [Ethereal-dev] More SMB info levels

Ethereal-dev: [Ethereal-dev] More SMB info levels
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Andrew Esh <root@xxxxxxxxxxxxxxxxx>
Date: Thu, 16 May 2002 18:19:58 -0500
Added more info level matchups which have been seen in XP captures,
both for File System queries, and many new ones for File Information
queries.

It was noted that the file stream name for the 1022 File request was
not being decoded properly. The raw data was in unicode, so a fix was
added to deal with that. Not sure if the 0x0109 request has the same
unicode encoding, since no example of that is available, so 0x0109 was
left unmodified.

Also optimized a couple of lines of code in
"get_unicode_or_ascii_string", where the same thing was being done on
both sides of a conditional.

Only a subset of these have actually been covered in testing, so there
could be some more decode problems with the new info levels.

-- 
Andrew C. Esh              mail:Andrew.Esh(at)tricord.com

Index: packet-smb.c
===================================================================
RCS file: /cvsroot/ethereal/packet-smb.c,v
retrieving revision 1.258
diff -a -u -c -r1.258 packet-smb.c
cvs server: conflicting specifications of output style
*** packet-smb.c	2002/05/15 19:37:20	1.258
--- packet-smb.c	2002/05/16 23:08:00
***************
*** 8633,8655 ****
  	{ 0x0103,	"Query File EA Info  (4.2.14.6)"},
  	{ 0x0104,	"Query File Name Info  (4.2.14.7)"},
  	{ 0x0107,	"Query File All Info  (4.2.14.8)"},
! 	{ 0x0108,	"Query File Alt File Info  (4.2.14.7)"},
  	{ 0x0109,	"Query File Stream Info  (4.2.14.10)"},
  	{ 0x010b,	"Query File Compression Info  (4.2.14.11)"},
  	{ 0x0200,	"Set File Unix Basic"},
  	{ 0x0201,	"Set File Unix Link"},
  	{ 0x0202,	"Set File Unix HardLink"},
  	{0, NULL}
  };
  
  static const value_string qfsi_vals[] = {
  	{ 1,		"Info Allocation"},
  	{ 2,		"Info Volume"},
  	{ 0x0102,	"Query FS Volume Info"},
  	{ 0x0103,	"Query FS Size Info"},
  	{ 0x0104,	"Query FS Device Info"},
  	{ 0x0105,	"Query FS Attribute Info"},
  	{ 1003,		"Query FS Size Info"},
  	{ 1006,		"Query FS Quota Info"},
  	{ 1007,		"Query Full FS Size Info"},
  	{0, NULL}
--- 8633,8693 ----
  	{ 0x0103,	"Query File EA Info  (4.2.14.6)"},
  	{ 0x0104,	"Query File Name Info  (4.2.14.7)"},
  	{ 0x0107,	"Query File All Info  (4.2.14.8)"},
! 	{ 0x0108,	"Query File Alt Name Info  (4.2.14.7)"},
  	{ 0x0109,	"Query File Stream Info  (4.2.14.10)"},
  	{ 0x010b,	"Query File Compression Info  (4.2.14.11)"},
  	{ 0x0200,	"Set File Unix Basic"},
  	{ 0x0201,	"Set File Unix Link"},
  	{ 0x0202,	"Set File Unix HardLink"},
+ 	{ 1004,		"Query File Basic Info  (4.2.14.4)"},
+ 	{ 1005,		"Query File Standard Info  (4.2.14.5)"},
+ 	{ 1006,		"Query File Internal Info  (4.2.14.?)"},
+ 	{ 1007,		"Query File EA Info  (4.2.14.6)"},
+ 	{ 1009,		"Query File Name Info  (4.2.14.7)"},
+ 	{ 1010,		"Query File Rename Info  (4.2.14.?)"},
+ 	{ 1011,		"Query File Link Info  (4.2.14.?)"},
+ 	{ 1012,		"Query File Names Info  (4.2.14.?)"},
+ 	{ 1013,		"Query File Disposition Info  (4.2.14.?)"},
+ 	{ 1014,		"Query File Position Info  (4.2.14.?)"},
+ 	{ 1015,		"Query File Full EA Info  (4.2.14.?)"},
+ 	{ 1016,		"Query File Mode Info  (4.2.14.?)"},
+ 	{ 1017,		"Query File Alignment Info  (4.2.14.?)"},
+ 	{ 1018,		"Query File All Info  (4.2.14.8)"},
+ 	{ 1019,		"Query File Allocation Info  (4.2.14.?)"},
+ 	{ 1020,		"Query File End of File Info  (4.2.14.?)"},
+ 	{ 1021,		"Query File Alt Name Info  (4.2.14.7)"},
+ 	{ 1022,		"Query File Stream Info  (4.2.14.10)"},
+ 	{ 1023,		"Query File Pipe Info  (4.2.14.?)"},
+ 	{ 1024,		"Query File Pipe Local Info  (4.2.14.?)"},
+ 	{ 1025,		"Query File Pipe Remote Info  (4.2.14.?)"},
+ 	{ 1026,		"Query File Mailslot Query Info  (4.2.14.?)"},
+ 	{ 1027,		"Query File Mailslot Set Info  (4.2.14.?)"},
+ 	{ 1028,		"Query File Compression Info  (4.2.14.11)"},
+ 	{ 1029,		"Query File ObjectID Info  (4.2.14.?)"},
+ 	{ 1030,		"Query File Completion Info  (4.2.14.?)"},
+ 	{ 1031,		"Query File Move Cluster Info  (4.2.14.?)"},
+ 	{ 1032,		"Query File Quota Info  (4.2.14.?)"},
+ 	{ 1033,		"Query File Reparsepoint Info  (4.2.14.?)"},
+ 	{ 1034,		"Query File Network Open Info  (4.2.14.?)"},
+ 	{ 1035,		"Query File Attribute Tag Info  (4.2.14.?)"},
+ 	{ 1036,		"Query File Tracking Info  (4.2.14.?)"},
+ 	{ 1037,		"Query File Maximum Info  (4.2.14.?)"},
  	{0, NULL}
  };
  
  static const value_string qfsi_vals[] = {
  	{ 1,		"Info Allocation"},
  	{ 2,		"Info Volume"},
+ 	{ 0x0101,	"Query FS Label Info"},
  	{ 0x0102,	"Query FS Volume Info"},
  	{ 0x0103,	"Query FS Size Info"},
  	{ 0x0104,	"Query FS Device Info"},
  	{ 0x0105,	"Query FS Attribute Info"},
+ 	{ 1001,		"Query FS Label Info"},
+ 	{ 1002,		"Query FS Volume Info"},
  	{ 1003,		"Query FS Size Info"},
+ 	{ 1004,		"Query FS Device Info"},
+ 	{ 1005,		"Query FS Attribute Info"},
  	{ 1006,		"Query FS Quota Info"},
  	{ 1007,		"Query Full FS Size Info"},
  	{0, NULL}
***************
*** 9924,9957 ****
--- 9962,10004 ----
  		    &trunc);
  		break;
  	case 0x0101:	/*Query File Basic Info*/
+ 	case 1004:	/* SMB_FILE_BASIC_INFORMATION */
  		offset = dissect_4_2_14_4(tvb, pinfo, tree, offset, bcp,
  		    &trunc);
  		break;
  	case 0x0102:	/*Query File Standard Info*/
+ 	case 1005:	/* SMB_FILE_STANDARD_INFORMATION */
  		offset = dissect_4_2_14_5(tvb, pinfo, tree, offset, bcp,
  		    &trunc);
  		break;
  	case 0x0103:	/*Query File EA Info*/
+ 	case 1007:	/* SMB_FILE_EA_INFORMATION */
  		offset = dissect_4_2_14_6(tvb, pinfo, tree, offset, bcp,
  		    &trunc);
  		break;
  	case 0x0104:	/*Query File Name Info*/
+ 	case 1009:	/* SMB_FILE_NAME_INFORMATION */
  		offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
  		    &trunc);
  		break;
  	case 0x0107:	/*Query File All Info*/
+ 	case 1018:	/* SMB_FILE_ALL_INFORMATION */
  		offset = dissect_4_2_14_8(tvb, pinfo, tree, offset, bcp,
  		    &trunc);
  		break;
  	case 0x0108:	/*Query File Alt File Info*/
+ 	case 1021:	/* SMB_FILE_ALTERNATE_NAME_INFORMATION */
  		offset = dissect_4_2_14_7(tvb, pinfo, tree, offset, bcp,
  		    &trunc);
  		break;
+ 	case 1022:	/* SMB_FILE_STREAM_INFORMATION */
+ 	        ((smb_info_t *)(pinfo->private_data))->unicode = TRUE;
  	case 0x0109:	/*Query File Stream Info*/
  		offset = dissect_4_2_14_10(tvb, pinfo, tree, offset, bcp,
  		    &trunc);
  		break;
  	case 0x010b:	/*Query File Compression Info*/
+ 	case 1028:	/* SMB_FILE_COMPRESSION_INFORMATION */
  		offset = dissect_4_2_14_11(tvb, pinfo, tree, offset, bcp,
  		    &trunc);
  		break;
***************
*** 11432,11438 ****
--- 11479,11503 ----
  		COUNT_BYTES_TRANS_SUBR(fn_len);
  
  		break;
+ 	case 0x0101:	/* SMB_QUERY_FS_LABEL_INFO */
+ 	case 1001:	/* SMB_FS_LABEL_INFORMATION */
+ 		/* volume label length */
+ 		CHECK_BYTE_COUNT_TRANS_SUBR(4);
+ 		vll = tvb_get_letohl(tvb, offset);
+ 		proto_tree_add_uint(tree, hf_smb_volume_label_len, tvb, offset, 4, vll);
+ 		COUNT_BYTES_TRANS_SUBR(4);
+ 
+ 		/* label */
+ 		fn_len = vll;
+ 		fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
+ 		CHECK_STRING_TRANS_SUBR(fn);
+ 		proto_tree_add_string(tree, hf_smb_volume_label, tvb, offset, fn_len,
+ 			fn);
+ 		COUNT_BYTES_TRANS_SUBR(fn_len);
+ 
+ 		break;
  	case 0x0102:	/* SMB_QUERY_FS_VOLUME_INFO */
+ 	case 1002:	/* SMB_FS_VOLUME_INFORMATION */
  		/* create time */
  		CHECK_BYTE_COUNT_TRANS_SUBR(8);
  		offset = dissect_smb_64bit_time(tvb, tree, offset,
***************
*** 11488,11493 ****
--- 11553,11559 ----
  
  		break;
  	case 0x0104:	/* SMB_QUERY_FS_DEVICE_INFO */
+ 	case 1004:	/* SMB_FS_DEVICE_INFORMATION */
  		/* device type */
  		CHECK_BYTE_COUNT_TRANS_SUBR(4);
  		proto_tree_add_item(tree, hf_smb_device_type, tvb, offset, 4, TRUE);
***************
*** 11500,11505 ****
--- 11566,11572 ----
  	
  		break;
  	case 0x0105:	/* SMB_QUERY_FS_ATTRIBUTE_INFO */
+ 	case 1005:	/* SMB_FS_ATTRIBUTE_INFORMATION */
  		/* FS attributes */
  		CHECK_BYTE_COUNT_TRANS_SUBR(4);
  		offset = dissect_fs_attributes(tvb, tree, offset);
***************
*** 13025,13034 ****
      }
      if(exactlen){
        string_len = *len;
-       string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
-     } else {
-       string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
      }
    } else {
      if(exactlen){
        /*
--- 13092,13099 ----
      }
      if(exactlen){
        string_len = *len;
      }
+     string = unicode_to_str(tvb, *offsetp, &string_len, exactlen, *bcp);
    } else {
      if(exactlen){
        /*
Follow-Ups:
- Re: [Ethereal-dev] More SMB info levels
  - From: Guy Harris
Prev by Date: Re: [Ethereal-dev] Solve Compiler Warnings
Next by Date: Re: [Ethereal-dev] More SMB info levels
Previous by thread: Re: [Ethereal-dev] Solve Compiler Warnings
Next by thread: Re: [Ethereal-dev] More SMB info levels
Index(es):
- Date
- Thread
Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application
$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$