Wireshark · Ethereal-dev: [Ethereal-dev] A question in for NBSS dissector

Ethereal-dev: [Ethereal-dev] A question in for NBSS dissector

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Huagang Xie <xie@xxxxxxxx>

Date: Tue, 15 Apr 2003 00:12:08 -0700

Hi, 

in packet-nbns.c


        if (pinfo->match_port == TCP_PORT_CIFS) {
                /*
                 * Windows 2000 CIFS clients can dispense completely
                 * with the NETBIOS encapsulation and directly use CIFS
                 * over TCP. As would be expected, the framing is
                 * identical, except that the length is 24 bits instead
                 * of 17. The only message types used are
                 * SESSION_MESSAGE and SESSION_KEEP_ALIVE.
                 */
                is_cifs = TRUE;
        } else {
                is_cifs = FALSE;
        }

The TCP_PORT_CIFS here is 445, but even if on port 445, the SMB/CIFS is still over NETBIOS-SS. Since this affect the "netbios-length" checking later, 

              /*
                 * We have enough data for an NBSS header.
                 * Get the flags and length of the message,
                 * and see if they're sane.
                 */
                if (is_cifs) {
                        flags = 0;
                        length = tvb_get_ntoh24(tvb, offset + 1);
                } else {
                        flags = tvb_get_guint8(tvb, offset + 1);
                        length = tvb_get_ntohs(tvb, offset + 2);
                        if (flags & NBSS_FLAGS_E)
                                length += 65536;
                }

And will make some CIFS/SMB packet over port 445 dissect as NBSS packet rather than continue dissect as "SMB/DCERPC" etc when the "flags!=0"

I will suggest to remove this (is_cifs) checking, Any idea?

Huagang

-- 
LIDS secure linux kernel
http://www.lids.org/
1024D/B6EFB028 		4731 2BF7 7735 4DBD 3771  4E24 B53B B60A B6EF B028

Attachment: pgp2TWMPiShlZ.pgp
Description: PGP signature

Follow-Ups:
- Re: [Ethereal-dev] A question in for NBSS dissector
  - From: Guy Harris

References:
- [Ethereal-dev] [patch] DSI more getserverinfo decoding
  - From: didier
- Re: [Ethereal-dev] [patch] DSI more getserverinfo decoding
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] [patch] DSI more getserverinfo decoding
Next by Date: Re: [Ethereal-dev] A question in for NBSS dissector
Previous by thread: Re: [Ethereal-dev] [patch] DSI more getserverinfo decoding
Next by thread: Re: [Ethereal-dev] A question in for NBSS dissector
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$