Ethereal-dev: Re: [Ethereal-dev] Incorrect parsing of: SMB -> Trans2 -> Query File Information
Dave Aitel wrote:
Quck note, latest stable Ethereal does not properly dissect SMB ->
Trans2 -> Query File Information (Query All Information) requests.
Is that what's called SMB_QUERY_FILE_ALL_INFO in the CIFS spec?
I can provide a capture file.
That'd be useful, for testing.
Test platforms:
ethereal-0.10.7
FC2 default samba client
Windows 2000 target (connect to C$ and get a file)
I'm not completely sure of the solution, but following is a guess/kludge
of the proper dissection (from CANVAS)
def parse_qfi(data):
ret={}
ret["EA Error Offset"]=istr2halfword(data[:2])
#padding eats 2 bytes
ret["Created"]=data[4:12]
ret["Last Access"]=data[12:20]
ret["Last Write"]=data[20:28]
ret["Change"]=data[28:36]
ret["File Attributes"]=istr2int(data[36:42])
for a in attributes_dict.keys():
if a & ret["File Attributes"]:
ret["Attributes"]+=attributes_dict[a]
#4 bytes of 0's (not understood)
ret["Allocation Size"]=istr2int(data[46:50]) #not correct in ethereal...
#4 bytes of 0's (not understood)
ret["End of File"]=istr2int(data[58:62])
That doesn't exactly match SMB_QUERY_FILE_ALL_INFO according to the SMB
spec - there's no EA error offset in SMB_QUERY_FILE_ALL_INFO, and that
has more stuff after End of file.
Also, in SMB_QUERY_FILE_ALL_INFO, allocation size is a LARGE_INTEGER,
which is 8 bytes, as is end of file, so that's what the 4 bytes of 0
are, although the 4 bytes of zero should be at a higher offset if
they're in little-endian byte order (as I'd expect them to be).
Attributes is claimed to be a USHORT in the SMB spec, but it might
actually be 4 bytes - or padded to 4 bytes.