Smb2-protocol: Re: [Smb2-protocol] Re: Two more smb2 header flags

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Stefan (metze) Metzmacher" <metze@xxxxxxxxx>
Date: Tue, 07 Feb 2006 11:36:16 +0100
ronnie sahlberg schrieb:
> Ah,
> 
> 
> Flag 0x02 is  "ProcessID is valid"
> 
> See attached capture for a transaction with Notify and Cancel where this bit
> is used.
> This bit is also set for Ioctl and Reads to named pipes when they also
> return STATUS_PENDING. These replies also have a valid (non-0xfffe PID
> value)
> 
> 
> All other packets i have seen always specify this bit as clear and ProcessID
> as 0xfffe which is likely some default value.

Hi Ronnie,

can you apply this patch?

I also noticed that the 0x02 flag also mean that the tid is invalid,
so it seems either the TID or the PID is valid...

metze
=== epan/dissectors/packet-nbap.h
==================================================================
--- epan/dissectors/packet-nbap.h	(revision 1496)
+++ epan/dissectors/packet-nbap.h	(local)
@@ -10,7 +10,7 @@
  * Routines for UMTS Node B Application Part(NBAP) packet dissection
  * Copyright 2005, Anders Broman <anders.broman@xxxxxxxxxxxx>
  *
- * $Id: packet-nbap-template.h 16293 2005-10-24 21:16:44Z etxrab $
+ * $Id$
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@xxxxxxxxxxxx>
=== epan/dissectors/packet-smb2.c
==================================================================
--- epan/dissectors/packet-smb2.c	(revision 1496)
+++ epan/dissectors/packet-smb2.c	(local)
@@ -63,6 +63,7 @@
 static int hf_smb2_tid = -1;
 static int hf_smb2_uid = -1;
 static int hf_smb2_flags_response = -1;
+static int hf_smb2_flags_valid_pid = -1;
 static int hf_smb2_response_buffer_offset = -1;
 static int hf_smb2_security_blob_offset = -1;
 static int hf_smb2_security_blob_len = -1;
@@ -188,6 +189,7 @@
 static gint ett_smb2_ea = -1;
 static gint ett_smb2_header = -1;
 static gint ett_smb2_command = -1;
+static gint ett_smb2_flags = -1;
 static gint ett_smb2_secblob = -1;
 static gint ett_smb2_file_basic_info = -1;
 static gint ett_smb2_file_standard_info = -1;
@@ -654,13 +656,16 @@
        int (*response)(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, smb2_info_t *si);
 } smb2_function;
 
-#define SMB2_FLAGS_RESPONSE	0x01
-
 static const true_false_string tfs_flags_response = {
 	"This is a RESPONSE",
 	"This is a REQUEST"
 };
 
+static const true_false_string tfs_flags_valid_pid = {
+	"PID field is invalid",
+	"PID field is valid",
+};
+
 static const value_string compression_format_vals[] = {
   { 0, "COMPRESSION_FORMAT_NONE" },
   { 1, "COMPRESSION_FORMAT_DEFAULT" },
@@ -2133,7 +2138,7 @@
 	};
 	value_string *vs;
 
-	if(si->response){
+	if(si->flags & SMB2_FLAGS_RESPONSE){
 		if(!si->saved){
 			return offset;
 		}
@@ -2170,17 +2175,17 @@
 
 	/* class */
 	item=proto_tree_add_uint(tree, hf_smb2_class, tvb, offset, 1, cl);
-	if(si->response){
+	if(si->flags & SMB2_FLAGS_RESPONSE){
 		PROTO_ITEM_SET_GENERATED(item);
 	}
 	/* infolevel */
 	item=proto_tree_add_uint(tree, hfindex, tvb, offset+1, 1, il);
-	if(si->response){
+	if(si->flags & SMB2_FLAGS_RESPONSE){
 		PROTO_ITEM_SET_GENERATED(item);
 	}
 	offset += 2;
 
-	if(!si->response){
+	if(!si->flags & SMB2_FLAGS_RESPONSE){
 		/* Only update COL_INFO for requests. It clutters the
 		 * display ab bit too much if we do it for replies
 		 * as well.
@@ -3608,9 +3613,10 @@
   { 0xFF, "unknown-0xFF" },
   { 0x00, NULL },
 };
-static const char *decode_smb2_name(guint8 cmd)
+static const char *decode_smb2_name(guint16 cmd)
 {
-  return(smb2_cmd_vals[cmd].strptr);
+  if (cmd > 0xFF) return "unknown";
+  return(smb2_cmd_vals[cmd & 0xFF].strptr);
 }
 
 static smb2_function smb2_dissector[256] = {
@@ -3919,12 +3925,12 @@
 	cmd_item = proto_tree_add_text(tree, tvb, offset, -1,
 			"%s %s (0x%02x)",
 			decode_smb2_name(si->opcode),
-			si->response?"Response":"Request",
+			(si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request",
 			si->opcode);
 	cmd_tree = proto_item_add_subtree(cmd_item, ett_smb2_command);
 
 
-	cmd_dissector=si->response?
+	cmd_dissector=(si->flags & SMB2_FLAGS_RESPONSE)?
 		smb2_dissector[si->opcode&0xff].response:
 		smb2_dissector[si->opcode&0xff].request;
 	if(cmd_dissector){
@@ -4032,6 +4038,8 @@
 	proto_tree *tree=NULL;
 	proto_item *header_item=NULL;
 	proto_tree *header_tree=NULL;
+	proto_item *flags_item=NULL;
+	proto_tree *flags_tree=NULL;
 	int offset=0;
 	int old_offset;
 	guint16 header_len;
@@ -4113,7 +4121,7 @@
 
 
 	/* opcode */
-	si->opcode=tvb_get_guint8(tvb, offset);
+	si->opcode=tvb_get_letohs(tvb, offset);
 	proto_tree_add_item(header_tree, hf_smb2_cmd, tvb, offset, 2, TRUE);
 	offset += 2;
 
@@ -4122,13 +4130,20 @@
 	offset += 2;
 
 	/* flags */
-	si->response=tvb_get_guint8(tvb, offset)&SMB2_FLAGS_RESPONSE;
-	proto_tree_add_item(header_tree, hf_smb2_flags_response, tvb, offset, 1, FALSE);
-	offset += 1;
+	si->flags=tvb_get_letohl(tvb, offset);
+	if(header_tree){
+		flags_item = proto_tree_add_text(header_tree, tvb, offset, 2,
+			"Flags: 0x%08x", si->flags);
+		flags_tree = proto_item_add_subtree(flags_item, ett_smb2_flags);
+	}
+	proto_tree_add_boolean(flags_tree, hf_smb2_flags_valid_pid, tvb, offset, 4, si->flags);
+	proto_tree_add_boolean(flags_tree, hf_smb2_flags_response, tvb, offset, 4, si->flags);
 
+	offset += 4;
+
 	/* some unknown bytes */
-	proto_tree_add_item(header_tree, hf_smb2_unknown, tvb, offset, 7, FALSE);
-	offset += 7;
+	proto_tree_add_item(header_tree, hf_smb2_unknown, tvb, offset, 4, FALSE);
+	offset += 4;
 
 	/* command sequence number*/
 	si->seqnum=tvb_get_letoh64(tvb, offset);
@@ -4158,7 +4173,7 @@
 	if (check_col(pinfo->cinfo, COL_INFO)){
 		col_append_fstr(pinfo->cinfo, COL_INFO, "%s %s",
 			decode_smb2_name(si->opcode),
-			si->response?"Response":"Request");
+			(si->flags & SMB2_FLAGS_RESPONSE)?"Response":"Request");
 		if(si->status){
 			col_append_fstr(
 				pinfo->cinfo, COL_INFO, ", Error: %s",
@@ -4172,7 +4187,7 @@
 		/* see if we can find this seqnum in the unmatched table */
 		ssi=g_hash_table_lookup(si->conv->unmatched, &ssi_key);
 
-		if(!si->response){
+		if(!(si->flags & SMB2_FLAGS_RESPONSE)){
 			/* This is a request */
 			if(ssi){
 				/* this is a request and we already found 
@@ -4218,7 +4233,7 @@
 	}
 
 	if(ssi){
-		if(!si->response){
+		if(!(si->flags & SMB2_FLAGS_RESPONSE)){
 			if(ssi->frame_res){
 				proto_item *tmp_item;
 				tmp_item=proto_tree_add_uint(header_tree, hf_smb2_response_in, tvb, 0, 0, ssi->frame_res);
@@ -4332,8 +4347,11 @@
 		{ "Process Id", "smb2.pid", FT_UINT32, BASE_HEX,
 		NULL, 0, "SMB2 Process Id", HFILL }},
 	{ &hf_smb2_flags_response,
-		{ "Response", "smb2.flags.response", FT_BOOLEAN, 8,
+		{ "Response", "smb2.flags.response", FT_BOOLEAN, 32,
 		TFS(&tfs_flags_response), SMB2_FLAGS_RESPONSE, "Whether this is an SMB2 Request or Response", HFILL }},
+	{ &hf_smb2_flags_valid_pid,
+		{ "Response", "smb2.flags.valid_pid", FT_BOOLEAN, 32,
+		TFS(&tfs_flags_valid_pid), SMB2_FLAGS_VALID_PID, "Whether the PID field of the SMB2 Header is valid", HFILL }},
 	{ &hf_smb2_tree,
 		{ "Tree", "smb2.tree", FT_STRING, BASE_NONE,
 		NULL, 0, "Name of the Tree/Share", HFILL }},
@@ -4776,6 +4794,7 @@
 		&ett_smb2_olb,
 		&ett_smb2_header,
 		&ett_smb2_command,
+		&ett_smb2_flags,
 		&ett_smb2_secblob,
 		&ett_smb2_file_basic_info,
 		&ett_smb2_file_standard_info,
=== epan/dissectors/packet-smb2.h
==================================================================
--- epan/dissectors/packet-smb2.h	(revision 1496)
+++ epan/dissectors/packet-smb2.h	(local)
@@ -87,7 +87,7 @@
 	guint32 tid;
 	guint64 uid;
 	guint64 seqnum;
-	gboolean response; /* is this a response ? */
+	guint32 flags;
 	smb2_conv_info_t	*conv;
 	smb2_saved_info_t	*saved;
 	smb2_tid_info_t		*tree;
@@ -95,6 +95,8 @@
 	proto_tree *top_tree;	
 } smb2_info_t;
 
+#define SMB2_FLAGS_RESPONSE	0x00000001
+#define SMB2_FLAGS_VALID_PID	0x00000002
 
 int dissect_smb2_FILE_OBJECTID_BUFFER(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset);
 
=== gtk/smb2_stat.c
==================================================================
--- gtk/smb2_stat.c	(revision 1496)
+++ gtk/smb2_stat.c	(local)
@@ -88,7 +88,7 @@
 	const smb2_info_t *si=psi;
 
 	/* we are only interested in reply packets */
-	if(!si->response){
+	if(!(si->flags & SMB2_FLAGS_RESPONSE)){
 		return 0;
 	}
 	/* if we havnt seen the request, just ignore it */

Attachment: signature.asc
Description: OpenPGP digital signature