Hi everyone. Here is a small patch which starts to add fid tracking
for msrpc calls. Also, display the returned fid in the info
column of the ntcreate&x reply.
I would like to be able to type "smb.fid == 0x4000" into the filter
field and have all operations on that fid come up. At the moment,
it pops up with the ntcreate&x response, the dcerpc bind and msrpc
requests, and the read&x requests for large dcerpc packets. What I
would like is the responses to be picked out as well by adding a
hidden uint item for the fid from the request packet.
Should I add this to the smb_info_t, or the smb_saved_info_t, or
perhaps start breaking things out into a separate structure of its own
like smb_ntcreate_info_t?
Tim.
*** packet-smb.c.~1.154.~ Sat Nov 17 08:01:53 2001
--- packet-smb.c Sun Nov 18 07:54:30 2001
***************
*** 506,511 ****
--- 506,513 ----
static int hf_smb_fs_attr_vq = -1;
static int hf_smb_fs_attr_dim = -1;
static int hf_smb_fs_attr_vic = -1;
+ static int hf_smb_setupword1 = -1;
+ static int hf_smb_setupword2 = -1;
static gint ett_smb = -1;
static gint ett_smb_hdr = -1;
***************
*** 7139,7144 ****
--- 7141,7147 ----
guint8 wc, cmd=0xff;
guint16 andxoffset=0;
guint16 bc;
+ guint16 fid;
WORD_COUNT;
***************
*** 7166,7173 ****
--- 7169,7180 ----
/* fid */
proto_tree_add_item(tree, hf_smb_fid, tvb, offset, 2, TRUE);
+ fid = tvb_get_letohs(tvb, offset);
offset += 2;
+ if (check_col(pinfo->fd, COL_INFO))
+ col_append_fstr(pinfo->fd, COL_INFO, ", FID: 0x%04x", fid);
+
/* create action */
/*XXX is this really the same as create disposition in the request? it looks so*/
proto_tree_add_item(tree, hf_smb_create_action, tvb, offset, 4, TRUE);
***************
*** 8876,8882 ****
break;
case 0x25:
! /* TRANSACTION setup words processed below */
break;
}
--- 8883,8908 ----
break;
case 0x25:
! /* MSRPC transactions have two setup count
! words which we decode here. Setup word 1
! is always 0x26. The second setup word is
! the fid which the transaction occurs on. */
! if (sc == 2) {
! guint16 sw1, sw2;
!
! sw1 = tvb_get_letohs(tvb, offset);
! sw2 = tvb_get_letohs(tvb, offset + 2);
!
! proto_tree_add_uint(tree, hf_smb_setupword1, tvb, offset, 2, sw1);
! proto_tree_add_uint(tree, hf_smb_setupword2, tvb, offset + 2, 2, sw2);
!
! /* Make fid hidden so we can find it
! in a filter. */
!
! if (sw1 == 0x26)
! proto_tree_add_uint_hidden(tree, hf_smb_fid, tvb, offset + 2, 2, sw2);
! }
!
break;
}
***************
*** 14314,14319 ****
--- 14340,14353 ----
{ &hf_smb_fs_attr_vic,
{ "Compressed", "smb.fs.attr.vic", FT_BOOLEAN, 32,
TFS(&tfs_fs_attr_vic), 0x00008000, "Is this FS Compressed?", HFILL }},
+
+ { &hf_smb_setupword1,
+ { "Setup Word 1", "smb.transaction.setupword1", FT_UINT16, BASE_HEX,
+ NULL, 0, "First setup word in TRANSACTION command", HFILL }},
+
+ { &hf_smb_setupword2,
+ { "Setup Word 2", "smb.transaction.setupword2", FT_UINT16, BASE_HEX,
+ NULL, 0, "Second setup word in TRANSACTION command", HFILL }},
};
