1 /* packet-smb-browse.c 2 * Routines for SMB Browser packet dissection 3 * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com> 4 * 5 * Wireshark - Network traffic analyzer 6 * By Gerald Combs <gerald@wireshark.org> 7 * Copyright 1998 Gerald Combs 8 * 9 * Copied from packet-pop.c 10 * 11 * SPDX-License-Identifier: GPL-2.0-or-later 12 */ 13 14 #include "config.h" 15 16 17 #include <epan/packet.h> 18 #include <epan/to_str.h> 19 20 #include "packet-smb-browse.h" 21 #include "packet-dcerpc.h" 22 23 void proto_register_smb_browse(void); 24 25 static int proto_smb_browse = -1; 26 static int hf_command = -1; 27 static int hf_update_count = -1; 28 static int hf_periodicity = -1; 29 static int hf_server_name = -1; 30 static int hf_mb_server_name = -1; 31 static int hf_mb_reset_command = -1; 32 static int hf_mb_reset_demote = -1; 33 static int hf_mb_reset_flush = -1; 34 static int hf_mb_reset_stop = -1; 35 static int hf_os_major = -1; 36 static int hf_os_minor = -1; 37 static int hf_server_type = -1; 38 static int hf_server_type_workstation = -1; 39 static int hf_server_type_server = -1; 40 static int hf_server_type_sql = -1; 41 static int hf_server_type_domain = -1; 42 static int hf_server_type_backup = -1; 43 static int hf_server_type_time = -1; 44 static int hf_server_type_apple = -1; 45 static int hf_server_type_novell = -1; 46 static int hf_server_type_member = -1; 47 static int hf_server_type_print = -1; 48 static int hf_server_type_dialin = -1; 49 static int hf_server_type_xenix = -1; 50 static int hf_server_type_ntw = -1; 51 static int hf_server_type_wfw = -1; 52 static int hf_server_type_nts = -1; 53 static int hf_server_type_potentialb = -1; 54 static int hf_server_type_backupb = -1; 55 static int hf_server_type_masterb = -1; 56 static int hf_server_type_domainmasterb = -1; 57 static int hf_server_type_osf = -1; 58 static int hf_server_type_vms = -1; 59 static int hf_server_type_w95 = -1; 60 static int hf_server_type_dfs = -1; 61 static int hf_server_type_local = -1; 62 static int hf_server_type_domainenum = -1; 63 static int hf_election_version = -1; 64 static int hf_proto_major = -1; 65 static int hf_proto_minor = -1; 66 static int hf_sig_const = -1; 67 static int hf_server_comment = -1; 68 static int hf_unused_flags = -1; 69 static int hf_response_computer_name = -1; 70 static int hf_election_criteria = -1; 71 static int hf_election_desire = -1; 72 static int hf_election_desire_flags_backup = -1; 73 static int hf_election_desire_flags_standby = -1; 74 static int hf_election_desire_flags_master = -1; 75 static int hf_election_desire_flags_domain_master = -1; 76 static int hf_election_desire_flags_wins = -1; 77 static int hf_election_desire_flags_nt = -1; 78 /* static int hf_election_revision = -1; */ 79 static int hf_election_os = -1; 80 static int hf_election_os_wfw = -1; 81 static int hf_election_os_ntw = -1; 82 static int hf_election_os_nts = -1; 83 static int hf_server_uptime = -1; 84 static int hf_backup_count = -1; 85 static int hf_backup_token = -1; 86 static int hf_backup_server = -1; 87 static int hf_browser_to_promote = -1; 88 static int hf_windows_version = -1; 89 static int hf_mysterious_field = -1; 90 91 static gint ett_browse = -1; 92 static gint ett_browse_flags = -1; 93 static gint ett_browse_election_criteria = -1; 94 static gint ett_browse_election_os = -1; 95 static gint ett_browse_election_desire = -1; 96 static gint ett_browse_reset_cmd_flags = -1; 97 98 #define SERVER_WORKSTATION 0 99 #define SERVER_SERVER 1 100 #define SERVER_SQL_SERVER 2 101 #define SERVER_DOMAIN_CONTROLLER 3 102 #define SERVER_BACKUP_CONTROLLER 4 103 #define SERVER_TIME_SOURCE 5 104 #define SERVER_APPLE_SERVER 6 105 #define SERVER_NOVELL_SERVER 7 106 #define SERVER_DOMAIN_MEMBER_SERVER 8 107 #define SERVER_PRINT_QUEUE_SERVER 9 108 #define SERVER_DIALIN_SERVER 10 109 #define SERVER_XENIX_SERVER 11 110 #define SERVER_NT_WORKSTATION 12 111 #define SERVER_WINDOWS_FOR_WORKGROUPS 13 112 #define SERVER_NT_SERVER 15 113 #define SERVER_POTENTIAL_BROWSER 16 114 #define SERVER_BACKUP_BROWSER 17 115 #define SERVER_MASTER_BROWSER 18 116 #define SERVER_DOMAIN_MASTER_BROWSER 19 117 #define SERVER_OSF 20 118 #define SERVER_VMS 21 119 #define SERVER_WINDOWS_95 22 120 #define SERVER_DFS_SERVER 23 121 #define SERVER_LOCAL_LIST_ONLY 30 122 #define SERVER_DOMAIN_ENUM 31 123 124 static const value_string server_types[] = { 125 {SERVER_WORKSTATION, "Workstation"}, 126 {SERVER_SERVER, "Server"}, 127 {SERVER_SQL_SERVER, "SQL Server"}, 128 {SERVER_DOMAIN_CONTROLLER, "Domain Controller"}, 129 {SERVER_BACKUP_CONTROLLER, "Backup Controller"}, 130 {SERVER_TIME_SOURCE, "Time Source"}, 131 {SERVER_APPLE_SERVER, "Apple Server"}, 132 {SERVER_NOVELL_SERVER, "Novell Server"}, 133 {SERVER_DOMAIN_MEMBER_SERVER, "Domain Member Server"}, 134 {SERVER_PRINT_QUEUE_SERVER, "Print Queue Server"}, 135 {SERVER_DIALIN_SERVER, "Dialin Server"}, 136 {SERVER_XENIX_SERVER, "Xenix Server"}, 137 {SERVER_NT_WORKSTATION, "NT Workstation"}, 138 {SERVER_WINDOWS_FOR_WORKGROUPS, "Windows for Workgroups"}, 139 {SERVER_NT_SERVER, "NT Server"}, 140 {SERVER_POTENTIAL_BROWSER, "Potential Browser"}, 141 {SERVER_BACKUP_BROWSER, "Backup Browser"}, 142 {SERVER_MASTER_BROWSER, "Master Browser"}, 143 {SERVER_DOMAIN_MASTER_BROWSER, "Domain Master Browser"}, 144 {SERVER_OSF, "OSF"}, 145 {SERVER_VMS, "VMS"}, 146 {SERVER_WINDOWS_95, "Windows 95 or above"}, 147 {SERVER_DFS_SERVER, "DFS server"}, 148 {SERVER_LOCAL_LIST_ONLY, "Local List Only"}, 149 {SERVER_DOMAIN_ENUM, "Domain Enum"}, 150 {0, NULL} 151 }; 152 153 #define SET_WINDOWS_VERSION_STRING(os_major_ver, os_minor_ver, windows_version) \ 154 if(os_major_ver == 6 && os_minor_ver == 1) \ 155 windows_version = "Windows 7 or Windows Server 2008 R2"; \ 156 \ 157 else if(os_major_ver == 6 && os_minor_ver == 0) \ 158 windows_version = "Windows Vista or Windows Server 2008"; \ 159 \ 160 else if(os_major_ver == 5 && os_minor_ver == 2) \ 161 windows_version = "Windows Server 2003 R2 or Windows Server 2003"; \ 162 \ 163 else if(os_major_ver == 5 && os_minor_ver == 1) \ 164 windows_version = "Windows XP"; \ 165 \ 166 else if(os_major_ver == 5 && os_minor_ver == 0) \ 167 windows_version = "Windows 2000"; \ 168 \ 169 else \ 170 windows_version = ""; 171 172 static const value_string resetbrowserstate_command_names[] = { 173 { 0x01, "Stop being a master browser and become a backup browser"}, 174 { 0x02, "Discard browse lists, stop being a master browser, and try again"}, 175 { 0x04, "Stop being a master browser for ever"}, 176 { 0, NULL} 177 }; 178 179 static true_false_string tfs_demote_to_backup = { 180 "Demote an LMB to a Backup Browser", 181 "Do not demote an LMB to a Backup Browser" 182 }; 183 184 static true_false_string tfs_flush_browse_list = { 185 "Flush the Browse List", 186 "Do not Flush the Browse List" 187 }; 188 189 static true_false_string tfs_stop_being_lmb = { 190 "Stop Being a Local Master Browser", 191 "Do not Stop Being a Local Master Browser" 192 }; 193 194 static const true_false_string tfs_workstation = { 195 "This is a Workstation", 196 "This is NOT a Workstation" 197 }; 198 static const true_false_string tfs_server = { 199 "This is a Server", 200 "This is NOT a Server" 201 }; 202 static const true_false_string tfs_sql = { 203 "This is an SQL server", 204 "This is NOT an SQL server" 205 }; 206 static const true_false_string tfs_domain = { 207 "This is a Domain Controller", 208 "This is NOT a Domain Controller" 209 }; 210 static const true_false_string tfs_backup = { 211 "This is a Backup Controller", 212 "This is NOT a Backup Controller" 213 }; 214 static const true_false_string tfs_time = { 215 "This is a Time Source", 216 "This is NOT a Time Source" 217 }; 218 static const true_false_string tfs_apple = { 219 "This is an Apple host", 220 "This is NOT an Apple host" 221 }; 222 static const true_false_string tfs_novell = { 223 "This is a Novell server", 224 "This is NOT a Novell server" 225 }; 226 static const true_false_string tfs_member = { 227 "This is a Domain Member server", 228 "This is NOT a Domain Member server" 229 }; 230 static const true_false_string tfs_print = { 231 "This is a Print Queue server", 232 "This is NOT a Print Queue server" 233 }; 234 static const true_false_string tfs_dialin = { 235 "This is a Dialin server", 236 "This is NOT a Dialin server" 237 }; 238 static const true_false_string tfs_xenix = { 239 "This is a Xenix server", 240 "This is NOT a Xenix server" 241 }; 242 static const true_false_string tfs_ntw = { 243 "This is an NT Workstation", 244 "This is NOT an NT Workstation" 245 }; 246 static const true_false_string tfs_wfw = { 247 "This is a WfW host", 248 "This is NOT a WfW host" 249 }; 250 static const true_false_string tfs_nts = { 251 "This is an NT Server", 252 "This is NOT an NT Server" 253 }; 254 static const true_false_string tfs_potentialb = { 255 "This is a Potential Browser", 256 "This is NOT a Potential Browser" 257 }; 258 static const true_false_string tfs_backupb = { 259 "This is a Backup Browser", 260 "This is NOT a Backup Browser" 261 }; 262 static const true_false_string tfs_masterb = { 263 "This is a Master Browser", 264 "This is NOT a Master Browser" 265 }; 266 static const true_false_string tfs_domainmasterb = { 267 "This is a Domain Master Browser", 268 "This is NOT a Domain Master Browser" 269 }; 270 static const true_false_string tfs_osf = { 271 "This is an OSF host", 272 "This is NOT an OSF host" 273 }; 274 static const true_false_string tfs_vms = { 275 "This is a VMS host", 276 "This is NOT a VMS host" 277 }; 278 static const true_false_string tfs_w95 = { 279 "This is a Windows 95 or above host", 280 "This is NOT a Windows 95 or above host" 281 }; 282 static const true_false_string tfs_dfs = { 283 "This is a DFS server", 284 "THis is NOT a DFS server" 285 }; 286 static const true_false_string tfs_local = { 287 "This is a local list only request", 288 "This is NOT a local list only request" 289 }; 290 static const true_false_string tfs_domainenum = { 291 "This is a Domain Enum request", 292 "This is NOT a Domain Enum request" 293 }; 294 295 #define DESIRE_BACKUP 0 296 #define DESIRE_STANDBY 1 297 #define DESIRE_MASTER 2 298 #define DESIRE_DOMAIN_MASTER 3 299 #define DESIRE_WINS 5 300 #define DESIRE_NT 7 301 302 static const true_false_string tfs_desire_backup = { 303 "Backup Browse Server", 304 "NOT Backup Browse Server" 305 }; 306 static const true_false_string tfs_desire_standby = { 307 "Standby Browse Server", 308 "NOT Standby Browse Server" 309 }; 310 static const true_false_string tfs_desire_master = { 311 "Master Browser", 312 "NOT Master Browser" 313 }; 314 static const true_false_string tfs_desire_domain_master = { 315 "Domain Master Browse Server", 316 "NOT Domain Master Browse Server" 317 }; 318 static const true_false_string tfs_desire_wins = { 319 "WINS Client", 320 "NOT WINS Client" 321 }; 322 static const true_false_string tfs_desire_nt = { 323 "Windows NT Advanced Server", 324 "NOT Windows NT Advanced Server" 325 }; 326 327 #define BROWSE_HOST_ANNOUNCE 1 328 #define BROWSE_REQUEST_ANNOUNCE 2 329 #define BROWSE_ELECTION_REQUEST 8 330 #define BROWSE_BACKUP_LIST_REQUEST 9 331 #define BROWSE_BACKUP_LIST_RESPONSE 10 332 #define BROWSE_BECOME_BACKUP 11 333 #define BROWSE_DOMAIN_ANNOUNCEMENT 12 334 #define BROWSE_MASTER_ANNOUNCEMENT 13 335 #define BROWSE_RESETBROWSERSTATE_ANNOUNCEMENT 14 336 #define BROWSE_LOCAL_MASTER_ANNOUNCEMENT 15 337 338 static const value_string commands[] = { 339 {BROWSE_HOST_ANNOUNCE, "Host Announcement"}, 340 {BROWSE_REQUEST_ANNOUNCE, "Request Announcement"}, 341 {BROWSE_ELECTION_REQUEST, "Browser Election Request"}, 342 {BROWSE_BACKUP_LIST_REQUEST, "Get Backup List Request"}, 343 {BROWSE_BACKUP_LIST_RESPONSE, "Get Backup List Response"}, 344 {BROWSE_BECOME_BACKUP, "Become Backup Browser"}, 345 {BROWSE_DOMAIN_ANNOUNCEMENT, "Domain/Workgroup Announcement"}, 346 {BROWSE_MASTER_ANNOUNCEMENT, "Master Announcement"}, 347 {BROWSE_RESETBROWSERSTATE_ANNOUNCEMENT, "Reset Browser State Announcement"}, 348 {BROWSE_LOCAL_MASTER_ANNOUNCEMENT, "Local Master Announcement"}, 349 {0, NULL} 350 }; 351 352 #define OS_WFW 0 353 #define OS_NTW 4 354 #define OS_NTS 5 355 356 static const true_false_string tfs_os_wfw = { 357 "Windows for Workgroups", 358 "Not Windows for Workgroups" 359 }; 360 static const true_false_string tfs_os_ntw = { 361 "Windows NT Workstation", 362 "Not Windows NT Workstation" 363 }; 364 static const true_false_string tfs_os_nts = { 365 "Windows NT Server", 366 "Not Windows NT Server" 367 }; 368 369 static void 370 dissect_election_criterion_os(tvbuff_t *tvb, proto_tree *parent_tree, int offset) 371 { 372 static int * const flags[] = { 373 &hf_election_os_wfw, 374 &hf_election_os_ntw, 375 &hf_election_os_nts, 376 NULL 377 }; 378 379 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_election_os, ett_browse_election_os, flags, ENC_NA); 380 } 381 382 static void 383 dissect_election_criterion_desire(tvbuff_t *tvb, proto_tree *parent_tree, int offset) 384 { 385 static int * const flags[] = { 386 &hf_election_desire_flags_backup, 387 &hf_election_desire_flags_standby, 388 &hf_election_desire_flags_master, 389 &hf_election_desire_flags_domain_master, 390 &hf_election_desire_flags_wins, 391 &hf_election_desire_flags_nt, 392 NULL 393 }; 394 395 proto_tree_add_bitmask(parent_tree, tvb, offset, hf_election_desire, ett_browse_election_desire, flags, ENC_NA); 396 } 397 398 static void 399 dissect_election_criterion(tvbuff_t *tvb, proto_tree *parent_tree, int offset) 400 { 401 proto_tree *tree = NULL; 402 proto_item *item = NULL; 403 guint32 criterion; 404 405 criterion = tvb_get_letohl(tvb, offset); 406 407 if (parent_tree) { 408 item = proto_tree_add_uint(parent_tree, hf_election_criteria, tvb, offset, 4, criterion); 409 tree = proto_item_add_subtree(item, ett_browse_election_criteria); 410 } 411 412 /* election desire */ 413 dissect_election_criterion_desire(tvb, tree, offset); 414 offset += 1; 415 416 /* browser protocol major version */ 417 proto_tree_add_item(tree, hf_proto_major, tvb, offset, 1, ENC_LITTLE_ENDIAN); 418 offset += 1; 419 420 /* browser protocol minor version */ 421 proto_tree_add_item(tree, hf_proto_minor, tvb, offset, 1, ENC_LITTLE_ENDIAN); 422 offset += 1; 423 424 /* election os */ 425 dissect_election_criterion_os(tvb, tree, offset); 426 427 } 428 429 /* 430 * XXX - this causes non-browser packets to have browser fields. 431 */ 432 int 433 dissect_smb_server_type_flags(tvbuff_t *tvb, int offset, packet_info *pinfo, 434 proto_tree *parent_tree, guint8 *drep, 435 gboolean infoflag) 436 { 437 guint32 flags; 438 int i; 439 440 static int * const type_flags[] = { 441 &hf_server_type_workstation, 442 &hf_server_type_server, 443 &hf_server_type_sql, 444 &hf_server_type_domain, 445 &hf_server_type_backup, 446 &hf_server_type_time, 447 &hf_server_type_apple, 448 &hf_server_type_novell, 449 &hf_server_type_member, 450 &hf_server_type_print, 451 &hf_server_type_dialin, 452 &hf_server_type_xenix, 453 &hf_server_type_ntw, 454 &hf_server_type_wfw, 455 &hf_server_type_nts, 456 &hf_server_type_potentialb, 457 &hf_server_type_backupb, 458 &hf_server_type_masterb, 459 &hf_server_type_domainmasterb, 460 &hf_server_type_osf, 461 &hf_server_type_vms, 462 &hf_server_type_w95, 463 &hf_server_type_dfs, 464 &hf_server_type_local, 465 &hf_server_type_domainenum, 466 NULL 467 }; 468 469 if (drep != NULL) { 470 /* 471 * Called from a DCE RPC protocol dissector, for a 472 * protocol where a 32-bit NDR integer contains 473 * an server type mask; extract the server type mask 474 * with an NDR call (but don't put it into the 475 * protocol tree, as we can't get a pointer to the 476 * item it puts in, and thus can't put a tree below 477 * it with the values of the individual bits). 478 */ 479 offset = dissect_ndr_uint32( 480 tvb, offset, pinfo, NULL, NULL, drep, hf_server_type, &flags); 481 } else { 482 /* 483 * Called from SMB browser or RAP, where the server type 484 * mask is just a 4-byte little-endian quantity with no 485 * special NDR alignment requirement; extract it with 486 * "tvb_get_letohl()". 487 */ 488 flags = tvb_get_letohl(tvb, offset); 489 offset += 4; 490 } 491 492 if (infoflag) { 493 /* Append the type(s) of the system to the COL_INFO line ... */ 494 for (i = 0; i < 32; i++) { 495 if (flags & (1U<<i)) { 496 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s", 497 val_to_str(i, server_types, 498 "Unknown server type:%d")); 499 } 500 } 501 } 502 503 proto_tree_add_bitmask_value(parent_tree, tvb, offset-4, 504 hf_server_type, ett_browse_flags, type_flags, flags); 505 506 return offset; 507 } 508 509 #define HOST_NAME_LEN 16 510 511 static int 512 dissect_mailslot_browse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void* data _U_) 513 { 514 int offset = 0; 515 guint8 cmd; 516 proto_tree *tree = NULL; 517 proto_item *item = NULL; 518 guint32 periodicity; 519 guint8 *host_name; 520 gint namelen; 521 guint8 server_count; 522 guint8 os_major_ver, os_minor_ver; 523 const gchar *windows_version; 524 int i; 525 guint32 uptime; 526 527 col_set_str(pinfo->cinfo, COL_PROTOCOL, "BROWSER"); 528 col_clear(pinfo->cinfo, COL_INFO); 529 530 cmd = tvb_get_guint8(tvb, offset); 531 532 /* Put in something, and replace it later */ 533 col_add_str(pinfo->cinfo, COL_INFO, val_to_str(cmd, commands, "Unknown command:0x%02x")); 534 535 536 item = proto_tree_add_item(parent_tree, proto_smb_browse, tvb, offset, -1, ENC_NA); 537 tree = proto_item_add_subtree(item, ett_browse); 538 539 /* command */ 540 proto_tree_add_uint(tree, hf_command, tvb, offset, 1, cmd); 541 offset += 1; 542 543 switch (cmd) { 544 case BROWSE_DOMAIN_ANNOUNCEMENT: 545 case BROWSE_LOCAL_MASTER_ANNOUNCEMENT: 546 case BROWSE_HOST_ANNOUNCE: { 547 /* update count */ 548 proto_tree_add_item(tree, hf_update_count, tvb, offset, 1, ENC_LITTLE_ENDIAN); 549 offset += 1; 550 551 /* periodicity (in milliseconds) */ 552 periodicity = tvb_get_letohl(tvb, offset); 553 proto_tree_add_uint_format_value(tree, hf_periodicity, tvb, offset, 4, 554 periodicity, 555 "%s", 556 signed_time_msecs_to_str(pinfo->pool, periodicity)); 557 offset += 4; 558 559 /* server name */ 560 host_name = tvb_get_stringzpad(pinfo->pool, tvb, offset, HOST_NAME_LEN, ENC_CP437|ENC_NA); 561 col_append_fstr(pinfo->cinfo, COL_INFO, " %s", host_name); 562 proto_tree_add_string_format(tree, hf_server_name, 563 tvb, offset, HOST_NAME_LEN, 564 host_name, 565 (cmd==BROWSE_DOMAIN_ANNOUNCEMENT)? 566 "Domain/Workgroup: %s": 567 "Host Name: %s", 568 host_name); 569 offset += HOST_NAME_LEN; 570 571 /* Windows version (See "OSVERSIONINFO Structure" on MSDN) */ 572 os_major_ver = tvb_get_guint8(tvb, offset); 573 os_minor_ver = tvb_get_guint8(tvb, offset+1); 574 575 SET_WINDOWS_VERSION_STRING(os_major_ver, os_minor_ver, windows_version); 576 proto_tree_add_string(tree, hf_windows_version, tvb, offset, 2, windows_version); 577 578 /* OS major version */ 579 proto_tree_add_item(tree, hf_os_major, tvb, offset, 1, ENC_LITTLE_ENDIAN); 580 offset += 1; 581 582 /* OS minor version */ 583 proto_tree_add_item(tree, hf_os_minor, tvb, offset, 1, ENC_LITTLE_ENDIAN); 584 offset += 1; 585 586 /* server type flags */ 587 offset = dissect_smb_server_type_flags( 588 tvb, offset, pinfo, tree, NULL, TRUE); 589 590 if (cmd == BROWSE_DOMAIN_ANNOUNCEMENT && tvb_get_letohs (tvb, offset + 2) != 0xAA55) { 591 /* 592 * Network Monitor claims this is a "Comment 593 * Pointer". I don't believe it. 594 * 595 * It's not a browser protocol major/minor 596 * version number, and signature constant, 597 * however. 598 */ 599 proto_tree_add_item(tree, hf_mysterious_field, tvb, offset, 4, ENC_LITTLE_ENDIAN); 600 offset += 4; 601 } else { 602 /* browser protocol major version */ 603 proto_tree_add_item(tree, hf_proto_major, tvb, offset, 1, ENC_LITTLE_ENDIAN); 604 offset += 1; 605 606 /* browser protocol minor version */ 607 proto_tree_add_item(tree, hf_proto_minor, tvb, offset, 1, ENC_LITTLE_ENDIAN); 608 offset += 1; 609 610 /* signature constant */ 611 proto_tree_add_item(tree, hf_sig_const, tvb, offset, 2, ENC_LITTLE_ENDIAN); 612 offset += 2; 613 } 614 615 /* master browser server name or server comment */ 616 namelen = tvb_strsize(tvb, offset); 617 proto_tree_add_item(tree, 618 (cmd==BROWSE_DOMAIN_ANNOUNCEMENT)? 619 hf_mb_server_name : hf_server_comment, 620 tvb, offset, namelen, ENC_ASCII|ENC_NA); 621 break; 622 } 623 case BROWSE_REQUEST_ANNOUNCE: { 624 guint8 *computer_name; 625 626 /* unused/unknown flags */ 627 proto_tree_add_item(tree, hf_unused_flags, 628 tvb, offset, 1, ENC_LITTLE_ENDIAN); 629 offset += 1; 630 631 /* name of computer to which to send reply */ 632 computer_name = tvb_get_stringz_enc(pinfo->pool, tvb, offset, &namelen, ENC_ASCII); 633 proto_tree_add_string(tree, hf_response_computer_name, 634 tvb, offset, namelen, computer_name); 635 col_append_fstr(pinfo->cinfo, COL_INFO, " %s", computer_name); 636 break; 637 } 638 639 case BROWSE_ELECTION_REQUEST: 640 /* election version */ 641 proto_tree_add_item(tree, hf_election_version, tvb, offset, 1, ENC_LITTLE_ENDIAN); 642 offset += 1; 643 644 /* criterion */ 645 dissect_election_criterion(tvb, tree, offset); 646 offset += 4; 647 648 /* server uptime */ 649 uptime = tvb_get_letohl(tvb, offset); 650 proto_tree_add_uint_format_value(tree, hf_server_uptime, 651 tvb, offset, 4, uptime, 652 "%s", 653 signed_time_msecs_to_str(pinfo->pool, uptime)); 654 offset += 4; 655 656 /* next 4 bytes must be zero */ 657 offset += 4; 658 659 /* server name */ 660 namelen = tvb_strsize(tvb, offset); 661 proto_tree_add_item(tree, hf_server_name, 662 tvb, offset, namelen, ENC_ASCII|ENC_NA); 663 break; 664 665 case BROWSE_BACKUP_LIST_REQUEST: 666 /* backup list requested count */ 667 proto_tree_add_item(tree, hf_backup_count, tvb, offset, 1, ENC_LITTLE_ENDIAN); 668 offset += 1; 669 670 /* backup requested token */ 671 proto_tree_add_item(tree, hf_backup_token, tvb, offset, 4, ENC_LITTLE_ENDIAN); 672 break; 673 674 case BROWSE_BACKUP_LIST_RESPONSE: 675 /* backup list requested count */ 676 server_count = tvb_get_guint8(tvb, offset); 677 proto_tree_add_uint(tree, hf_backup_count, tvb, offset, 1, 678 server_count); 679 offset += 1; 680 681 /* backup requested token */ 682 proto_tree_add_item(tree, hf_backup_token, tvb, offset, 4, ENC_LITTLE_ENDIAN); 683 offset += 4; 684 685 /* backup server names */ 686 for (i = 0; i < server_count; i++) { 687 namelen = tvb_strsize(tvb, offset); 688 proto_tree_add_item(tree, hf_backup_server, 689 tvb, offset, namelen, ENC_ASCII|ENC_NA); 690 offset += namelen; 691 } 692 break; 693 694 case BROWSE_MASTER_ANNOUNCEMENT: 695 /* master browser server name */ 696 namelen = tvb_strsize(tvb, offset); 697 proto_tree_add_item(tree, hf_mb_server_name, 698 tvb, offset, namelen, ENC_ASCII|ENC_NA); 699 break; 700 701 case BROWSE_RESETBROWSERSTATE_ANNOUNCEMENT: { 702 static int * const flags[] = { 703 &hf_mb_reset_demote, 704 &hf_mb_reset_flush, 705 &hf_mb_reset_stop, 706 NULL 707 }; 708 709 proto_tree_add_bitmask(tree, tvb, offset, hf_mb_reset_command, ett_browse_reset_cmd_flags, flags, ENC_NA); 710 break; 711 } 712 713 case BROWSE_BECOME_BACKUP: 714 /* name of browser to promote */ 715 namelen = tvb_strsize(tvb, offset); 716 proto_tree_add_item(tree, hf_browser_to_promote, 717 tvb, offset, namelen, ENC_ASCII|ENC_NA); 718 break; 719 } 720 return tvb_captured_length(tvb); 721 } 722 723 /* 724 * It appears that browser announcements sent to \MAILSLOT\LANMAN aren't 725 * the same as browser announcements sent to \MAILSLOT\BROWSE. 726 * Was that an older version of the protocol? 727 * 728 * The document at 729 * 730 * http://www.samba.org/samba/ftp/specs/brow_rev.txt 731 * 732 * gives both formats of host announcement packets, saying that 733 * "[The first] format seems wrong", that one being what appears to 734 * show up in \MAILSLOT\LANMAN packets, and that "[The second one] 735 * may be better", that one being what appears to show up in 736 * \MAILSLOT\BROWSE packets. 737 * 738 * XXX - what other browser packets go out to that mailslot? 739 */ 740 static int 741 dissect_mailslot_lanman(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void* data _U_) 742 { 743 int offset = 0; 744 guint8 cmd; 745 proto_tree *tree; 746 proto_item *item; 747 guint32 periodicity; 748 const guint8 *host_name; 749 guint8 os_major_ver, os_minor_ver; 750 const gchar *windows_version; 751 guint namelen; 752 753 col_set_str(pinfo->cinfo, COL_PROTOCOL, "BROWSER"); 754 col_clear(pinfo->cinfo, COL_INFO); 755 756 cmd = tvb_get_guint8(tvb, offset); 757 758 /* Put in something, and replace it later */ 759 col_add_str(pinfo->cinfo, COL_INFO, val_to_str(cmd, commands, "Unknown command:0x%02x")); 760 761 item = proto_tree_add_item(parent_tree, proto_smb_browse, tvb, offset, -1, ENC_NA); 762 tree = proto_item_add_subtree(item, ett_browse); 763 764 /* command */ 765 proto_tree_add_uint(tree, hf_command, tvb, offset, 1, cmd); 766 offset += 1; 767 768 switch (cmd) { 769 case BROWSE_DOMAIN_ANNOUNCEMENT: 770 case BROWSE_LOCAL_MASTER_ANNOUNCEMENT: 771 case BROWSE_HOST_ANNOUNCE: 772 /* update count */ 773 proto_tree_add_item(tree, hf_update_count, tvb, offset, 1, ENC_LITTLE_ENDIAN); 774 offset += 1; 775 776 /* server type flags */ 777 offset = dissect_smb_server_type_flags( 778 tvb, offset, pinfo, tree, NULL, TRUE); 779 780 /* OS version string (See "OSVERSIONINFO Structure" on MSDN) */ 781 os_major_ver = tvb_get_guint8(tvb, offset); 782 os_minor_ver = tvb_get_guint8(tvb, offset+1); 783 784 SET_WINDOWS_VERSION_STRING(os_major_ver, os_minor_ver, windows_version); 785 proto_tree_add_string(tree, hf_windows_version, tvb, offset, 2, windows_version); 786 787 /* OS major version */ 788 proto_tree_add_item(tree, hf_os_major, tvb, offset, 1, ENC_LITTLE_ENDIAN); 789 offset += 1; 790 791 /* OS minor version */ 792 proto_tree_add_item(tree, hf_os_minor, tvb, offset, 1, ENC_LITTLE_ENDIAN); 793 offset += 1; 794 795 /* periodicity (in seconds; convert to milliseconds) */ 796 periodicity = tvb_get_letohs(tvb, offset)*1000; 797 proto_tree_add_uint_format_value(tree, hf_periodicity, tvb, offset, 2, 798 periodicity, 799 "%s", 800 signed_time_msecs_to_str(pinfo->pool, periodicity)); 801 offset += 2; 802 803 /* server name */ 804 host_name = tvb_get_stringz_enc(pinfo->pool, tvb, offset, &namelen, ENC_CP437|ENC_NA); 805 col_append_fstr(pinfo->cinfo, COL_INFO, " %s", host_name); 806 807 proto_tree_add_item(tree, hf_server_name, 808 tvb, offset, namelen, ENC_ASCII|ENC_NA); 809 offset += namelen; 810 811 /* master browser server name or server comment */ 812 namelen = tvb_strsize(tvb, offset); 813 proto_tree_add_item(tree, 814 (cmd==BROWSE_DOMAIN_ANNOUNCEMENT)? 815 hf_mb_server_name : hf_server_comment, 816 tvb, offset, namelen, ENC_CP437|ENC_NA); 817 break; 818 } 819 return tvb_captured_length(tvb); 820 } 821 822 void 823 proto_register_smb_browse(void) 824 { 825 static hf_register_info hf[] = { 826 { &hf_command, 827 { "Command", "browser.command", FT_UINT8, BASE_HEX, 828 VALS(commands), 0, "Browse command opcode", HFILL }}, 829 830 { &hf_update_count, 831 { "Update Count", "browser.update_count", FT_UINT8, BASE_DEC, 832 NULL, 0, "Browse Update Count", HFILL }}, 833 834 { &hf_periodicity, 835 { "Update Periodicity", "browser.period", FT_UINT32, BASE_DEC, 836 NULL, 0, "Update Periodicity in ms", HFILL }}, 837 838 { &hf_server_name, 839 { "Server Name", "browser.server", FT_STRING, BASE_NONE, 840 NULL, 0, "BROWSE Server Name", HFILL }}, 841 842 { &hf_mb_server_name, 843 { "Master Browser Server Name", "browser.mb_server", FT_STRING, BASE_NONE, 844 NULL, 0, "BROWSE Master Browser Server Name", HFILL }}, 845 846 { &hf_mb_reset_command, 847 { "ResetBrowserState Command", "browser.reset_cmd", FT_UINT8, 848 BASE_HEX, VALS(resetbrowserstate_command_names), 0, 849 NULL, HFILL }}, 850 { &hf_mb_reset_demote, 851 { "Demote LMB", "browser.reset_cmd.demote", FT_BOOLEAN, 852 8, TFS(&tfs_demote_to_backup), 0x01, NULL, HFILL}}, 853 { &hf_mb_reset_flush, 854 { "Flush Browse List", "browser.reset_cmd.flush", FT_BOOLEAN, 855 8, TFS(&tfs_flush_browse_list), 0x02, NULL, HFILL}}, 856 { &hf_mb_reset_stop, 857 { "Stop Being LMB", "browser.reset_cmd.stop_lmb", FT_BOOLEAN, 858 8, TFS(&tfs_stop_being_lmb), 0x04, NULL, HFILL}}, 859 { &hf_os_major, 860 { "OS Major Version", "browser.os_major", FT_UINT8, BASE_DEC, 861 NULL, 0, "Operating System Major Version", HFILL }}, 862 863 { &hf_os_minor, 864 { "OS Minor Version", "browser.os_minor", FT_UINT8, BASE_DEC, 865 NULL, 0, "Operating System Minor Version", HFILL }}, 866 867 { &hf_server_type, 868 { "Server Type", "browser.server_type", FT_UINT32, BASE_HEX, 869 NULL, 0, "Server Type Flags", HFILL }}, 870 871 { &hf_server_type_workstation, 872 { "Workstation", "browser.server_type.workstation", FT_BOOLEAN, 32, 873 TFS(&tfs_workstation), 1U<<SERVER_WORKSTATION, "Is This A Workstation?", HFILL }}, 874 875 { &hf_server_type_server, 876 { "Server", "browser.server_type.server", FT_BOOLEAN, 32, 877 TFS(&tfs_server), 1U<<SERVER_SERVER, "Is This A Server?", HFILL }}, 878 879 { &hf_server_type_sql, 880 { "SQL", "browser.server_type.sql", FT_BOOLEAN, 32, 881 TFS(&tfs_sql), 1U<<SERVER_SQL_SERVER, "Is This A SQL Server?", HFILL }}, 882 883 { &hf_server_type_domain, 884 { "Domain Controller", "browser.server_type.domain_controller", FT_BOOLEAN, 32, 885 TFS(&tfs_domain), 1U<<SERVER_DOMAIN_CONTROLLER, "Is This A Domain Controller?", HFILL }}, 886 887 { &hf_server_type_backup, 888 { "Backup Controller", "browser.server_type.backup_controller", FT_BOOLEAN, 32, 889 TFS(&tfs_backup), 1U<<SERVER_BACKUP_CONTROLLER, "Is This A Backup Domain Controller?", HFILL }}, 890 891 { &hf_server_type_time, 892 { "Time Source", "browser.server_type.time", FT_BOOLEAN, 32, 893 TFS(&tfs_time), 1U<<SERVER_TIME_SOURCE, "Is This A Time Source?", HFILL }}, 894 895 { &hf_server_type_apple, 896 { "Apple", "browser.server_type.apple", FT_BOOLEAN, 32, 897 TFS(&tfs_apple), 1U<<SERVER_APPLE_SERVER, "Is This An Apple Server ?", HFILL }}, 898 899 { &hf_server_type_novell, 900 { "Novell", "browser.server_type.novell", FT_BOOLEAN, 32, 901 TFS(&tfs_novell), 1U<<SERVER_NOVELL_SERVER, "Is This A Novell Server?", HFILL }}, 902 903 { &hf_server_type_member, 904 { "Member", "browser.server_type.member", FT_BOOLEAN, 32, 905 TFS(&tfs_member), 1U<<SERVER_DOMAIN_MEMBER_SERVER, "Is This A Domain Member Server?", HFILL }}, 906 907 { &hf_server_type_print, 908 { "Print", "browser.server_type.print", FT_BOOLEAN, 32, 909 TFS(&tfs_print), 1U<<SERVER_PRINT_QUEUE_SERVER, "Is This A Print Server?", HFILL }}, 910 911 { &hf_server_type_dialin, 912 { "Dialin", "browser.server_type.dialin", FT_BOOLEAN, 32, 913 TFS(&tfs_dialin), 1U<<SERVER_DIALIN_SERVER, "Is This A Dialin Server?", HFILL }}, 914 915 { &hf_server_type_xenix, 916 { "Xenix", "browser.server_type.xenix", FT_BOOLEAN, 32, 917 TFS(&tfs_xenix), 1U<<SERVER_XENIX_SERVER, "Is This A Xenix Server?", HFILL }}, 918 919 { &hf_server_type_ntw, 920 { "NT Workstation", "browser.server_type.ntw", FT_BOOLEAN, 32, 921 TFS(&tfs_ntw), 1U<<SERVER_NT_WORKSTATION, "Is This A NT Workstation?", HFILL }}, 922 923 { &hf_server_type_wfw, 924 { "WfW", "browser.server_type.wfw", FT_BOOLEAN, 32, 925 TFS(&tfs_wfw), 1U<<SERVER_WINDOWS_FOR_WORKGROUPS, "Is This A Windows For Workgroups Server?", HFILL }}, 926 927 { &hf_server_type_nts, 928 { "NT Server", "browser.server_type.nts", FT_BOOLEAN, 32, 929 TFS(&tfs_nts), 1U<<SERVER_NT_SERVER, "Is This A NT Server?", HFILL }}, 930 931 { &hf_server_type_potentialb, 932 { "Potential Browser", "browser.server_type.browser.potential", FT_BOOLEAN, 32, 933 TFS(&tfs_potentialb), 1U<<SERVER_POTENTIAL_BROWSER, "Is This A Potential Browser?", HFILL }}, 934 935 { &hf_server_type_backupb, 936 { "Backup Browser", "browser.server_type.browser.backup", FT_BOOLEAN, 32, 937 TFS(&tfs_backupb), 1U<<SERVER_BACKUP_BROWSER, "Is This A Backup Browser?", HFILL }}, 938 939 { &hf_server_type_masterb, 940 { "Master Browser", "browser.server_type.browser.master", FT_BOOLEAN, 32, 941 TFS(&tfs_masterb), 1U<<SERVER_MASTER_BROWSER, "Is This A Master Browser?", HFILL }}, 942 943 { &hf_server_type_domainmasterb, 944 { "Domain Master Browser", "browser.server_type.browser.domain_master", FT_BOOLEAN, 32, 945 TFS(&tfs_domainmasterb), 1U<<SERVER_DOMAIN_MASTER_BROWSER, "Is This A Domain Master Browser?", HFILL }}, 946 947 { &hf_server_type_osf, 948 { "OSF", "browser.server_type.osf", FT_BOOLEAN, 32, 949 TFS(&tfs_osf), 1U<<SERVER_OSF, "Is This An OSF server ?", HFILL }}, 950 951 { &hf_server_type_vms, 952 { "VMS", "browser.server_type.vms", FT_BOOLEAN, 32, 953 TFS(&tfs_vms), 1U<<SERVER_VMS, "Is This A VMS Server?", HFILL }}, 954 955 { &hf_server_type_w95, 956 { "Windows 95+", "browser.server_type.w95", FT_BOOLEAN, 32, 957 TFS(&tfs_w95), 1U<<SERVER_WINDOWS_95, "Is This A Windows 95 or above server?", HFILL }}, 958 959 { &hf_server_type_dfs, 960 { "DFS", "browser.server_type.dfs", FT_BOOLEAN, 32, 961 TFS(&tfs_dfs), 1U<<SERVER_DFS_SERVER, "Is This A DFS server?", HFILL }}, 962 963 { &hf_server_type_local, 964 { "Local", "browser.server_type.local", FT_BOOLEAN, 32, 965 TFS(&tfs_local), 1U<<SERVER_LOCAL_LIST_ONLY, "Is This A Local List Only request?", HFILL }}, 966 967 { &hf_server_type_domainenum, 968 { "Domain Enum", "browser.server_type.domainenum", FT_BOOLEAN, 32, 969 TFS(&tfs_domainenum), 1U<<SERVER_DOMAIN_ENUM, "Is This A Domain Enum request?", HFILL }}, 970 971 { &hf_election_version, 972 { "Election Version", "browser.election.version", FT_UINT8, BASE_DEC, 973 NULL, 0, NULL, HFILL }}, 974 975 { &hf_proto_major, 976 { "Browser Protocol Major Version", "browser.proto_major", FT_UINT8, BASE_DEC, 977 NULL, 0, NULL, HFILL }}, 978 979 { &hf_proto_minor, 980 { "Browser Protocol Minor Version", "browser.proto_minor", FT_UINT8, BASE_DEC, 981 NULL, 0, NULL, HFILL }}, 982 983 { &hf_sig_const, 984 { "Signature", "browser.sig", FT_UINT16, BASE_HEX, 985 NULL, 0, "Signature Constant", HFILL }}, 986 987 { &hf_server_comment, 988 { "Host Comment", "browser.comment", FT_STRINGZ, BASE_NONE, 989 NULL, 0, "Server Comment", HFILL }}, 990 991 { &hf_unused_flags, 992 { "Unused flags", "browser.unused", FT_UINT8, BASE_HEX, 993 NULL, 0, "Unused/unknown flags", HFILL }}, 994 995 { &hf_response_computer_name, 996 { "Response Computer Name", "browser.response_computer_name", FT_STRINGZ, BASE_NONE, 997 NULL, 0, NULL, HFILL }}, 998 999 { &hf_election_criteria, 1000 { "Election Criteria", "browser.election.criteria", FT_UINT32, BASE_HEX, 1001 NULL, 0, NULL, HFILL }}, 1002 1003 { &hf_election_desire, 1004 { "Election Desire", "browser.election.desire", FT_UINT8, BASE_HEX, 1005 NULL, 0, NULL, HFILL }}, 1006 1007 { &hf_election_desire_flags_backup, 1008 { "Backup", "browser.election.desire.backup", FT_BOOLEAN, 8, 1009 TFS(&tfs_desire_backup), 1U<<DESIRE_BACKUP, "Is this a backup server", HFILL }}, 1010 1011 { &hf_election_desire_flags_standby, 1012 { "Standby", "browser.election.desire.standby", FT_BOOLEAN, 8, 1013 TFS(&tfs_desire_standby), 1U<<DESIRE_STANDBY, "Is this a standby server?", HFILL }}, 1014 1015 { &hf_election_desire_flags_master, 1016 { "Master", "browser.election.desire.master", FT_BOOLEAN, 8, 1017 TFS(&tfs_desire_master), 1U<<DESIRE_MASTER, "Is this a master server", HFILL }}, 1018 1019 { &hf_election_desire_flags_domain_master, 1020 { "Domain Master", "browser.election.desire.domain_master", FT_BOOLEAN, 8, 1021 TFS(&tfs_desire_domain_master), 1U<<DESIRE_DOMAIN_MASTER, "Is this a domain master", HFILL }}, 1022 1023 { &hf_election_desire_flags_wins, 1024 { "WINS", "browser.election.desire.wins", FT_BOOLEAN, 8, 1025 TFS(&tfs_desire_wins), 1U<<DESIRE_WINS, "Is this a WINS server", HFILL }}, 1026 1027 { &hf_election_desire_flags_nt, 1028 { "NT", "browser.election.desire.nt", FT_BOOLEAN, 8, 1029 TFS(&tfs_desire_nt), 1U<<DESIRE_NT, "Is this a NT server", HFILL }}, 1030 1031 #if 0 1032 { &hf_election_revision, 1033 { "Election Revision", "browser.election.revision", FT_UINT16, BASE_DEC, 1034 NULL, 0, NULL, HFILL }}, 1035 #endif 1036 1037 { &hf_election_os, 1038 { "Election OS", "browser.election.os", FT_UINT8, BASE_HEX, 1039 NULL, 0, NULL, HFILL }}, 1040 1041 { &hf_election_os_wfw, 1042 { "WfW", "browser.election.os.wfw", FT_BOOLEAN, 8, 1043 TFS(&tfs_os_wfw), 1U<<OS_WFW, "Is this a WfW host?", HFILL }}, 1044 1045 { &hf_election_os_ntw, 1046 { "NT Workstation", "browser.election.os.ntw", FT_BOOLEAN, 8, 1047 TFS(&tfs_os_ntw), 1U<<OS_NTW, "Is this a NT Workstation?", HFILL }}, 1048 1049 { &hf_election_os_nts, 1050 { "NT Server", "browser.election.os.nts", FT_BOOLEAN, 8, 1051 TFS(&tfs_os_nts), 1U<<OS_NTS, "Is this a NT Server?", HFILL }}, 1052 1053 { &hf_server_uptime, 1054 { "Uptime", "browser.uptime", FT_UINT32, BASE_DEC, 1055 NULL, 0, "Server uptime in ms", HFILL }}, 1056 1057 { &hf_backup_count, 1058 { "Backup List Requested Count", "browser.backup.count", FT_UINT8, BASE_DEC, 1059 NULL, 0, NULL, HFILL }}, 1060 1061 { &hf_backup_token, 1062 { "Backup Request Token", "browser.backup.token", FT_UINT32, BASE_DEC, 1063 NULL, 0, "Backup requested/response token", HFILL }}, 1064 1065 { &hf_backup_server, 1066 { "Backup Server", "browser.backup.server", FT_STRING, BASE_NONE, 1067 NULL, 0, "Backup Server Name", HFILL }}, 1068 1069 { &hf_browser_to_promote, 1070 { "Browser to Promote", "browser.browser_to_promote", FT_STRINGZ, BASE_NONE, 1071 NULL, 0, NULL, HFILL }}, 1072 1073 { &hf_windows_version, 1074 { "Windows version", "browser.windows_version", FT_STRING, BASE_NONE, 1075 NULL, 0, NULL, HFILL }}, 1076 1077 { &hf_mysterious_field, 1078 { "Mysterious Field", "browser.mysterious_field", FT_UINT32, BASE_HEX, 1079 NULL, 0, NULL, HFILL }}, 1080 }; 1081 1082 static gint *ett[] = { 1083 &ett_browse, 1084 &ett_browse_flags, 1085 &ett_browse_election_criteria, 1086 &ett_browse_election_os, 1087 &ett_browse_election_desire, 1088 &ett_browse_reset_cmd_flags, 1089 }; 1090 1091 proto_smb_browse = proto_register_protocol("Microsoft Windows Browser Protocol", 1092 "BROWSER", "browser"); 1093 1094 proto_register_field_array(proto_smb_browse, hf, array_length(hf)); 1095 proto_register_subtree_array(ett, array_length(ett)); 1096 1097 register_dissector("mailslot_browse", dissect_mailslot_browse, 1098 proto_smb_browse); 1099 register_dissector("mailslot_lanman", dissect_mailslot_lanman, 1100 proto_smb_browse); 1101 } 1102 1103 /* 1104 * Editor modelines - https://www.wireshark.org/tools/modelines.html 1105 * 1106 * Local variables: 1107 * c-basic-offset: 8 1108 * tab-width: 8 1109 * indent-tabs-mode: t 1110 * End: 1111 * 1112 * vi: set shiftwidth=8 tabstop=8 noexpandtab: 1113 * :indentSize=8:tabSize=8:noTabs=false: 1114 */ 1115