1 /* packet-smb.h
2  * Defines for SMB packet dissection
3  * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
4  *
5  * Wireshark - Network traffic analyzer
6  * By Gerald Combs <gerald@wireshark.org>
7  * Copyright 1998, 1999 Gerald Combs
8  *
9  * SPDX-License-Identifier: GPL-2.0-or-later
10  */
11 
12 #ifndef __PACKET_SMB_H__
13 #define __PACKET_SMB_H__
14 
15 #include "ws_symbol_export.h"
16 
17 #include <epan/proto.h>
18 #include <epan/wmem_scopes.h>
19 
20 WS_DLL_PUBLIC gboolean sid_name_snooping;
21 
22 /* SMB command codes, from the SNIA CIFS spec. With MSVC and a
23  * libwireshark.dll, we need a special declaration.
24  */
25 WS_DLL_PUBLIC value_string_ext smb_cmd_vals_ext;
26 WS_DLL_PUBLIC value_string_ext trans2_cmd_vals_ext;
27 WS_DLL_PUBLIC value_string_ext nt_cmd_vals_ext;
28 
29 #define SMB_COM_CREATE_DIRECTORY		0x00
30 #define SMB_COM_DELETE_DIRECTORY		0x01
31 #define SMB_COM_OPEN				0x02
32 #define SMB_COM_CREATE				0x03
33 #define SMB_COM_CLOSE				0x04
34 #define SMB_COM_FLUSH				0x05
35 #define SMB_COM_DELETE				0x06
36 #define SMB_COM_RENAME				0x07
37 #define SMB_COM_QUERY_INFORMATION		0x08
38 #define SMB_COM_SET_INFORMATION			0x09
39 #define SMB_COM_READ				0x0A
40 #define SMB_COM_WRITE				0x0B
41 #define SMB_COM_LOCK_BYTE_RANGE			0x0C
42 #define SMB_COM_UNLOCK_BYTE_RANGE		0x0D
43 #define SMB_COM_CREATE_TEMPORARY		0x0E
44 #define SMB_COM_CREATE_NEW			0x0F
45 #define SMB_COM_CHECK_DIRECTORY			0x10
46 #define SMB_COM_PROCESS_EXIT			0x11
47 #define SMB_COM_SEEK				0x12
48 #define SMB_COM_LOCK_AND_READ			0x13
49 #define SMB_COM_WRITE_AND_UNLOCK		0x14
50 #define SMB_COM_READ_RAW			0x1A
51 #define SMB_COM_READ_MPX			0x1B
52 #define SMB_COM_READ_MPX_SECONDARY		0x1C
53 #define SMB_COM_WRITE_RAW			0x1D
54 #define SMB_COM_WRITE_MPX			0x1E
55 #define SMB_COM_WRITE_MPX_SECONDARY		0x1F
56 #define SMB_COM_WRITE_COMPLETE			0x20
57 #define SMB_COM_QUERY_SERVER			0x21
58 #define SMB_COM_SET_INFORMATION2		0x22
59 #define SMB_COM_QUERY_INFORMATION2		0x23
60 #define SMB_COM_LOCKING_ANDX			0x24
61 #define SMB_COM_TRANSACTION			0x25
62 #define SMB_COM_TRANSACTION_SECONDARY		0x26
63 #define SMB_COM_IOCTL				0x27
64 #define SMB_COM_IOCTL_SECONDARY			0x28
65 #define SMB_COM_COPY				0x29
66 #define SMB_COM_MOVE				0x2A
67 #define SMB_COM_ECHO				0x2B
68 #define SMB_COM_WRITE_AND_CLOSE			0x2C
69 #define SMB_COM_OPEN_ANDX			0x2D
70 #define SMB_COM_READ_ANDX			0x2E
71 #define SMB_COM_WRITE_ANDX			0x2F
72 #define SMB_COM_NEW_FILE_SIZE			0x30
73 #define SMB_COM_CLOSE_AND_TREE_DISC		0x31
74 #define SMB_COM_TRANSACTION2			0x32
75 #define SMB_COM_TRANSACTION2_SECONDARY		0x33
76 #define SMB_COM_FIND_CLOSE2			0x34
77 #define SMB_COM_FIND_NOTIFY_CLOSE		0x35
78 /* Used by Xenix/Unix		0x60-0x6E */
79 #define SMB_COM_TREE_CONNECT			0x70
80 #define SMB_COM_TREE_DISCONNECT			0x71
81 #define SMB_COM_NEGOTIATE			0x72
82 #define SMB_COM_SESSION_SETUP_ANDX		0x73
83 #define SMB_COM_LOGOFF_ANDX			0x74
84 #define SMB_COM_TREE_CONNECT_ANDX		0x75
85 #define SMB_COM_QUERY_INFORMATION_DISK		0x80
86 #define SMB_COM_SEARCH				0x81
87 #define SMB_COM_FIND				0x82
88 #define SMB_COM_FIND_UNIQUE			0x83
89 #define SMB_COM_FIND_CLOSE			0x84
90 #define SMB_COM_NT_TRANSACT			0xA0
91 #define SMB_COM_NT_TRANSACT_SECONDARY		0xA1
92 #define SMB_COM_NT_CREATE_ANDX			0xA2
93 #define SMB_COM_NT_CANCEL			0xA4
94 #define SMB_COM_NT_RENAME			0xA5
95 #define SMB_COM_OPEN_PRINT_FILE			0xC0
96 #define SMB_COM_WRITE_PRINT_FILE		0xC1
97 #define SMB_COM_CLOSE_PRINT_FILE		0xC2
98 #define SMB_COM_GET_PRINT_QUEUE			0xC3
99 #define SMB_COM_READ_BULK			0xD8
100 #define SMB_COM_WRITE_BULK			0xD9
101 #define SMB_COM_WRITE_BULK_DATA			0xDA
102 
103 /* Error codes */
104 
105 #define SMB_SUCCESS 0x00  /* All OK */
106 #define SMB_ERRDOS  0x01  /* DOS based error */
107 #define SMB_ERRSRV  0x02  /* server error, network file manager */
108 #define SMB_ERRHRD  0x03  /* Hardware style error */
109 #define SMB_ERRCMD  0x04  /* Not an SMB format command */
110 
111 /* used for SMB export object functionality */
112 typedef struct _smb_eo_t {
113 	guint	      smbversion;
114 	guint16	      cmd;
115 	int	      tid,uid;
116 	guint	      fid;
117 	guint32	      pkt_num;
118 	gchar	     *hostname;
119 	gchar	     *filename;
120 	int	      fid_type;
121 	gint64	      end_of_file;
122 	gchar	     *content_type;
123 	guint32	      payload_len;
124 	const guint8 *payload_data;
125 	guint64	      smb_file_offset;
126 	guint32	      smb_chunk_len;
127 } smb_eo_t;
128 
129 /* the information we need to keep around for NT transaction commands */
130 typedef struct {
131 	int	subcmd;
132 	int	fid_type;
133 	guint32 ioctl_function;
134 } smb_nt_transact_info_t;
135 
136 /* the information we need to keep around for transaction2 commands */
137 typedef struct {
138 	int	    subcmd;
139 	int	    info_level;
140 	gboolean    resume_keys; /* if "return resume" keys set in T2 FIND_FIRST request */
141 	const char *name;
142 } smb_transact2_info_t;
143 
144 /*
145  * The information we need to save about a request in order to show the
146  * frame number of the request in the dissection of the reply.
147  */
148 #define SMB_SIF_TID_IS_IPC	0x0001
149 #define SMB_SIF_IS_CONTINUED	0x0002
150 typedef enum {
151 	SMB_EI_NONE,		/* Unassigned / NULL */
152 	SMB_EI_FID,		/* FID */
153 	SMB_EI_NTI,		/* smb_nt_transact_info_t * */
154 	SMB_EI_TRI,		/* smb_transact_info_t * */
155 	SMB_EI_T2I,		/* smb_transact2_info_t * */
156 	SMB_EI_TIDNAME,		/* tid tracking char * */
157 	SMB_EI_FILEDATA,	/* fid tracking */
158 	SMB_EI_FILENAME,	/* filename tracking */
159 	SMB_EI_UID,		/* smb_uid_t */
160 	SMB_EI_RWINFO,		/* read/write offset/count info */
161 	SMB_EI_LOCKDATA,	/* locking and x data */
162 	SMB_EI_RENAMEDATA,	/* rename data */
163 	SMB_EI_DIALECTS		/* negprot dialects */
164 } smb_extra_info_t;
165 
166 typedef struct _smb_fid_into_t smb_fid_info_t;
167 
168 typedef struct {
169 	guint32		  frame_req, frame_res;
170 	nstime_t	  req_time;
171 	guint16		  flags;
172 	guint8		  cmd;
173 	void		 *extra_info;
174 	smb_extra_info_t  extra_info_type;
175 	/* we save the fid in each transaction so that we can get fid filters
176 	   to match both request and response */
177 	gboolean	  fid_seen_in_request;
178 	guint16		  fid;
179 } smb_saved_info_t;
180 
181 /*
182  * The information we need to save about a Transaction request in order
183  * to dissect the reply; this includes information for use by the
184  * Remote API and Mailslot dissectors.
185  * XXX - have an additional data structure hung off of this by the
186  * subdissectors?
187  */
188 typedef struct {
189 	int	 subcmd;
190 	int	 trans_subcmd;
191 	int	 function;
192 	/* Unification of fid variable type (was int) */
193 	guint16	 fid;
194 	guint16	 lanman_cmd;
195 	guchar	*param_descrip; /* Keep these descriptors around */
196 	guchar	*data_descrip;
197 	guchar	*aux_data_descrip;
198 	int	 info_level;
199 } smb_transact_info_t;
200 
201 /*
202  * Subcommand type.
203  */
204 #define TRANSACTION_PIPE	0
205 #define TRANSACTION_MAILSLOT	1
206 
207 /* these are defines used to represent different types of TIDs.
208    don't use the value 0 for any of these */
209 #define TID_NORMAL	1
210 #define TID_IPC		2
211 
212 /* this is the structure which is associated with each conversation */
213 typedef struct conv_tables {
214 	/* these two tables are used to match requests with responses */
215 	GHashTable  *unmatched;
216 	GHashTable  *matched;
217 	/* This table keeps primary transact requests so secondaries can find
218 	   them */
219 	GHashTable  *primaries;
220 
221 	/* This table is used to track TID->services for a conversation */
222 	GHashTable  *tid_service;
223 	gboolean     raw_ntlmssp; /* Do extended security exc use raw ntlmssp */
224 
225 	/* track fid to fidstruct (filename/openframe/closeframe */
226 	wmem_tree_t *fid_tree;
227         /* We'll use a GSL list instead */
228         GSList	    *GSL_fid_info;
229 
230 	/* track tid to fidstruct (sharename/shareframe/unshareframe */
231 	wmem_tree_t *tid_tree;
232 
233 	/* track uid to username mappings */
234 	wmem_tree_t *uid_tree;
235 } conv_tables_t;
236 
237 typedef struct smb_info {
238   guint8   cmd;
239   int	   tid, pid, uid, mid;
240   guint32  nt_status;
241   gboolean unicode;		/* Are strings in this SMB Unicode? */
242   gboolean request;		/* Is this a request? */
243   gboolean unidir;
244   int	   info_level;
245   int	   info_count;
246   smb_saved_info_t *sip;	/* smb_saved_info_t, if any, for this */
247   conv_tables_t	   *ct;
248 } smb_info_t;
249 
250 /*
251  * Show file data for a read or write.
252  */
253 extern int dissect_file_data(tvbuff_t *tvb, proto_tree *tree, int offset,
254     guint16 bc, guint16 datalen);
255 
256 
257 #define SMB_FID_TYPE_UNKNOWN	0
258 #define SMB_FID_TYPE_FILE	1
259 #define SMB_FID_TYPE_DIR	2
260 #define SMB_FID_TYPE_PIPE	3
261 
262 /* used for tracking filenames from rename request to response */
263 typedef struct _smb_rename_saved_info_t {
264 	char *old_name;
265 	char *new_name;
266 } smb_rename_saved_info_t;
267 
268 /* used for tracking lock data between lock request/response */
269 typedef struct _smb_lock_info_t {
270 	struct _smb_lock_info_t *next;
271 	guint16	pid;
272 	guint64	offset;
273 	guint64	length;
274 } smb_lock_info_t;
275 
276 typedef struct _smb_locking_saved_info_t {
277 	guint8	type;
278 	guint8	oplock_level;
279 	guint16	num_lock;
280 	guint16	num_unlock;
281 	smb_lock_info_t *locks;
282 	smb_lock_info_t *unlocks;
283 } smb_locking_saved_info_t;
284 
285 /* used for tracking fid/tid to filename/sharename openedframe closedframe */
286 typedef struct _smb_fid_saved_info_t {
287 	char	*filename;
288 	guint32	 create_flags;
289 	guint32	 access_mask;
290 	guint32	 file_attributes;
291 	guint32	 share_access;
292 	guint32	 create_options;
293 	guint32	 create_disposition;
294 } smb_fid_saved_info_t;
295 
296 struct _smb_fid_into_t {
297         guint16	tid,fid;
298         /* The end_of_file will store the last registered offset or
299            the reported end_of_file from the SMB protocol */
300         gint64	end_of_file;
301         /* These two were int */
302 	guint	opened_in;
303 	guint	closed_in;
304 	int	type;
305 	smb_fid_saved_info_t *fsi;
306 };
307 
308 /* used for tracking tid to sharename openedframe closedframe */
309 typedef struct _smb_tid_into_t {
310 	int   opened_in;
311 	int   closed_in;
312 	char *filename;
313 	int   type;
314 } smb_tid_info_t;
315 
316 
317 /*
318  * Dissect an smb FID
319  */
320 extern smb_fid_info_t *dissect_smb_fid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
321     int offset, int len, guint16 fid, gboolean is_created, gboolean is_closed, gboolean is_generated, smb_info_t* si);
322 
323 /*
324  * Dissect named pipe state information.
325  */
326 extern int dissect_ipc_state(tvbuff_t *tvb, proto_tree *parent_tree,
327     int offset, gboolean setstate);
328 
329 extern gboolean smb_dcerpc_reassembly;
330 
331 extern const value_string create_disposition_vals[];
332 
333 extern int dissect_nt_create_options(tvbuff_t *tvb, proto_tree *parent_tree, int offset);
334 
335 extern int dissect_nt_share_access(tvbuff_t *tvb, proto_tree *parent_tree, int offset);
336 
337 extern int dissect_smb_access_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset);
338 
339 extern const value_string oa_open_vals[];
340 extern const value_string impersonation_level_vals[];
341 
342 extern gboolean sid_display_hex;
343 
344 extern int dissect_security_information_mask(tvbuff_t *tvb, proto_tree *parent_tree, int offset);
345 
346 extern int dissect_qfsi_FS_VOLUME_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, guint16 *bcp, int unicode);
347 extern int dissect_qfsi_FS_SIZE_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, guint16 *bcp);
348 extern int dissect_qfsi_FS_DEVICE_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, guint16 *bcp);
349 extern int dissect_qfsi_FS_ATTRIBUTE_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, guint16 *bcp);
350 extern int dissect_nt_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp);
351 extern int dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp);
352 extern int dissect_nt_get_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint32 *bcp);
353 extern int dissect_qfsi_FS_OBJECTID_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, guint16 *bcp);
354 extern int dissect_qfsi_FS_FULL_SIZE_INFO(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, int offset, guint16 *bcp);
355 extern int dissect_qfi_SMB_FILE_EA_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
356 extern int dissect_qfi_SMB_FILE_STREAM_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int offset, guint16 *bcp, gboolean *trunc, int unicode);
357 extern int dissect_qfi_SMB_FILE_NAME_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc, gboolean unicode);
358 extern int dissect_qfi_SMB_FILE_STANDARD_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
359 extern int dissect_qfi_SMB_FILE_INTERNAL_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
360 extern int dissect_qsfi_SMB_FILE_POSITION_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
361 extern int dissect_qsfi_SMB_FILE_MODE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
362 extern int dissect_qfi_SMB_FILE_ALIGNMENT_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
363 extern int dissect_qfi_SMB_FILE_COMPRESSION_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
364 extern int dissect_qfi_SMB_FILE_NETWORK_OPEN_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
365 extern int dissect_qfi_SMB_FILE_ATTRIBUTE_TAG_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
366 extern int dissect_qsfi_SMB_FILE_ALLOCATION_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
367 extern int dissect_qsfi_SMB_FILE_ENDOFFILE_INFO(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
368 extern int dissect_nt_notify_completion_filter(tvbuff_t *tvb, proto_tree *parent_tree, int offset);
369 extern int dissect_sfi_SMB_FILE_PIPE_INFO(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, guint16 *bcp, gboolean *trunc);
370 extern int dissect_get_dfs_request_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean unicode);
371 extern int dissect_get_dfs_referral_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, guint16 *bcp, gboolean unicode);
372 
373 /* Returns an IP (v4 or v6) of the server in a SMB/SMB2 conversation */
374 extern const gchar *tree_ip_str(packet_info *pinfo, guint16 cmd);
375 
376 #endif
377 
378 /*
379  * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
380  *
381  * Local variables:
382  * c-basic-offset: 8
383  * tab-width: 8
384  * indent-tabs-mode: t
385  * End:
386  *
387  * vi: set shiftwidth=8 tabstop=8 noexpandtab:
388  * :indentSize=8:tabSize=8:noTabs=false:
389  */
390