Add patches for NFSv4.0 callback channel decode and decoders for more SMB

FIND_FILE infolevels
2010-03-16 14:22:22 +00:00 · 2010-03-16 14:22:22 +00:00 · ddc891d809
commit ddc891d809
parent 94574385b7
3 changed files with 472 additions and 1 deletions
--- a/wireshark-1.2.6-nfs40-backchnl-decode.patch
+++ b/wireshark-1.2.6-nfs40-backchnl-decode.patch
@ -0,0 +1,155 @@
+From 531ee0b54e7406992f9eefc60fbbbd4534116f99 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 9 Mar 2010 12:25:50 -0500
+Subject: [PATCH] Dynamically register callback dissector based on the NFSv4.0 SETCLIENTID
+ args (the equivalent of what had already been done for NFSv4.1
+ CREATE_SESSION).
+
+Fix CB_LAYOUTRECALL dissecting: the recall type wasn't getting parsed,
+so some of the layout recall info wasn't being displayed.
+
+Parse CB_SEQUENCE's referring call lists.
+---
+ epan/dissectors/packet-nfs.c |   68 +++++++++++++++++++++++++++++++++++------
+ 1 files changed, 58 insertions(+), 10 deletions(-)
+
+diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c
+index 82ebfe4..fa475b7 100644
+--- a/epan/dissectors/packet-nfs.c
+++ b/epan/dissectors/packet-nfs.c
+@@ -7723,7 +7723,10 @@ dissect_nfs_cb_client4(tvbuff_t *tvb, int offset, proto_tree *tree)
+ {
+ 	proto_tree *cb_location = NULL;
+ 	proto_item *fitem = NULL;
+	int cbprog;
+ 
+	cbprog = tvb_get_ntohl(tvb, offset);
+	reg_callback(cbprog);
+ 	offset = dissect_rpc_uint32(tvb, tree, hf_nfs_cb_program, offset);
+ 	fitem = proto_tree_add_text(tree, tvb, offset, 0, "cb_location");
+ 
+@@ -9646,6 +9649,8 @@ static gint ett_nfs_cb_wantscancelled = -1;
+ static gint ett_nfs_cb_notifylock = -1;
+ static gint ett_nfs_cb_notifydeviceid = -1;
+ static gint ett_nfs_cb_notify = -1;
+static gint ett_nfs_cb_reflists = -1;
+static gint ett_nfs_cb_refcalls = -1;
+ static gint ett_nfs_cb_illegal = -1;
+ 
+ static const value_string names_nfs_cb_operation[] = {
+@@ -9683,16 +9688,56 @@ gint *nfs_cb_operation_ett[] =
+ };
+ 
+ static int
+dissect_nfs_cb_referring_calls(tvbuff_t *tvb, int offset, proto_tree *tree)
+{
+	guint num_reflists, num_refcalls, i, j;
+	proto_item *rl_item, *rc_item;
+	proto_tree *rl_tree = NULL, *rc_tree = NULL;
+
+	num_reflists = tvb_get_ntohl(tvb, offset);
+	rl_item = proto_tree_add_text(tree, tvb, offset, 4,
+			"referring call lists (count: %u)", num_reflists);
+	offset += 4;
+	if (num_reflists == 0)
+		return offset;
+
+	rl_tree = proto_item_add_subtree(rl_item, ett_nfs_cb_reflists);
+
+	for (i = 0; i < num_reflists; i++) {
+		offset = dissect_rpc_opaque_data(tvb, offset, rl_tree, NULL,
+				hf_nfs_sessionid4, TRUE, 16, FALSE, NULL, NULL);
+		num_refcalls = tvb_get_ntohl(tvb, offset);
+		rc_item = proto_tree_add_text(rl_tree, tvb, offset, 4,
+				"referring calls (count: %u)", num_refcalls);
+		offset += 4;
+		for (j = 0; j < num_refcalls; j++) {
+			rc_tree = proto_item_add_subtree(rc_item, ett_nfs_cb_refcalls);
+			offset = dissect_rpc_uint32(tvb, rc_tree, hf_nfs_seqid4, offset);
+			offset = dissect_rpc_uint32(tvb, rc_tree, hf_nfs_slotid4, offset);
+		}
+	}
+
+	return offset;
+}
+
+static int
+ dissect_nfs_cb_layoutrecall(tvbuff_t *tvb, int offset, proto_tree *tree, packet_info *pinfo)
+ {
+-	guint recalltype = hf_nfs_layouttype4;
+	guint recall_type;
+ 
+-	if (recalltype == 1) { /* RETURN_FILE */
+	offset = dissect_rpc_uint32(tvb, tree, hf_nfs_layouttype4, offset);
+	offset = dissect_rpc_uint32(tvb, tree, hf_nfs_iomode4, offset);
+	offset = dissect_rpc_bool(tvb, tree, hf_nfs_cb_clorachanged, offset);
+
+	recall_type = tvb_get_ntohl(tvb, offset);
+	offset = dissect_rpc_uint32(tvb, tree, hf_nfs_cb_layoutrecall_type, offset);
+
+	if (recall_type == 1) { /* RECALL_FILE */
+ 		offset = dissect_nfs_fh4(tvb, offset, pinfo, tree, "filehandle");  
+ 		offset = dissect_rpc_uint64(tvb, tree, hf_nfs_offset4, offset);
+ 		offset = dissect_rpc_uint64(tvb, tree, hf_nfs_length4, offset);
+ 		offset = dissect_nfs_stateid4(tvb, offset, tree);
+-	} else if (recalltype == 2) { /* RETURN_FSID */
+	} else if (recall_type == 2) { /* RECALL_FSID */
+ 		offset = dissect_nfs_fsid4(tvb, offset, tree, "fsid");
+ 	}
+ 
+@@ -9748,9 +9793,6 @@ dissect_nfs_cb_argop(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *
+ 			break;
+ 		case NFS4_OP_CB_GETATTR:
+ 		case NFS4_OP_CB_LAYOUTRECALL:
+-		  	offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_layouttype4, offset);
+-			offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_iomode4, offset);
+-			offset = dissect_rpc_bool(tvb, newftree, hf_nfs_cb_clorachanged, offset);
+ 			offset = dissect_nfs_cb_layoutrecall(tvb, offset, newftree, pinfo);
+ 			break;
+ 		case NFS4_OP_CB_NOTIFY:
+@@ -9766,8 +9808,7 @@ dissect_nfs_cb_argop(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *
+ 			offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_slotid4, offset);
+ 			offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_slotid4, offset);
+ 			offset = dissect_rpc_bool(tvb, newftree, hf_nfs_cachethis4, offset);
+-			/* skip refs -- assume 0 */
+-			offset = offset + 4;
+			offset = dissect_nfs_cb_referring_calls(tvb, offset, newftree);
+ 			break;
+ 		case NFS4_OP_CB_WANTS_CANCELLED:
+ 		case NFS4_OP_CB_NOTIFY_LOCK:
+@@ -9920,8 +9961,13 @@ void reg_callback(int cbprog)
+ 	/* Register the protocol as RPC */
+ 	rpc_init_prog(proto_nfs, cbprog, ett_nfs);
+ 	
+-	/* Register the procedure tables */
+	/*
+	 * Register the procedure tables.  The version should be 4,
+	 * but some Linux kernels set this field to 1.  "Temporarily",
+	 * accomodate these servers.
+	 */
+ 	rpc_init_proc_table(cbprog, 1, nfs_cb_proc, hf_nfs_cb_procedure);
+	rpc_init_proc_table(cbprog, 4, nfs_cb_proc, hf_nfs_cb_procedure);
+ }
+ 
+ void
+@@ -11274,7 +11320,7 @@ proto_register_nfs(void)
+ 			"CREATE_SESSION flags", "nfs.create_session_flags", FT_UINT32, BASE_HEX,
+ 			NULL, 0, NULL, HFILL }},
+ 		{ &hf_nfs_cachethis4, {
+-			"Cache this?", "nfs.cachethis4", FT_BOOLEAN, BASE_NONE,
+			"cache this?", "nfs.cachethis4", FT_BOOLEAN, BASE_NONE,
+ 			TFS(&tfs_yes_no), 0, NULL, HFILL }},
+ 		 
+ 		{ &hf_nfs_cb_procedure, {
+@@ -11479,6 +11525,8 @@ proto_register_nfs(void)
+ 		&ett_nfs_cb_notifylock,
+ 		&ett_nfs_cb_notifydeviceid,
+ 		&ett_nfs_cb_notify,
+		&ett_nfs_cb_reflists,
+		&ett_nfs_cb_refcalls,
+ 		&ett_nfs_cb_illegal,
+ 	};
+ 	module_t *nfs_module;
+-- 
+1.6.6.1
+
--- a/wireshark-1.2.6-smb-find-full-dir-info.patch
+++ b/wireshark-1.2.6-smb-find-full-dir-info.patch
@ -0,0 +1,308 @@
+From 2856caa1cf3307208864af4c59da8ecb07bc3153 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Mon, 8 Mar 2010 19:43:07 -0500
+Subject: [PATCH] packet-smb: add more FIND_FILE dissectors
+
+---
+ epan/dissectors/packet-smb.c |  271 ++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 271 insertions(+), 0 deletions(-)
+
+diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c
+index 727b290..c9a90b9 100644
+--- a/epan/dissectors/packet-smb.c
+++ b/epan/dissectors/packet-smb.c
+@@ -10051,6 +10051,8 @@ static const value_string ff2_il_vals[] = {
+ 	{ 0x0102,	"Find File Full Directory Info"},
+ 	{ 0x0103,	"Find File Names Info"},
+ 	{ 0x0104,	"Find File Both Directory Info"},
+	{ 0x0105,	"Find File Full Directory Info"},
+	{ 0x0106,	"Find File Id Both Directory Info"},
+ 	{ 0x0202,	"Find File UNIX"},
+ 	{0, NULL}
+ };
+@@ -13900,6 +13902,267 @@ dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
+ }
+ 
+ static int
+dissect_4_3_4_6full(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
+    int offset, guint16 *bcp, gboolean *trunc)
+{
+	int fn_len;
+	const char *fn;
+	int old_offset = offset;
+	proto_item *item = NULL;
+	proto_tree *tree = NULL;
+	smb_info_t *si;
+	guint32 neo;
+	int padcnt;
+
+	si = (smb_info_t *)pinfo->private_data;
+	DISSECTOR_ASSERT(si);
+
+	if(parent_tree){
+		tvb_ensure_bytes_exist(tvb, offset, *bcp);
+		item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
+		    val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
+		tree = proto_item_add_subtree(item, ett_smb_ff2_data);
+	}
+
+	/*
+	 * XXX - I have not seen any of these that contain a resume
+	 * key, even though some of the requests had the "return resume
+	 * key" flag set.
+	 */
+
+	/* next entry offset */
+	CHECK_BYTE_COUNT_SUBR(4);
+	neo = tvb_get_letohl(tvb, offset);
+	proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
+	COUNT_BYTES_SUBR(4);
+
+	/* file index */
+	CHECK_BYTE_COUNT_SUBR(4);
+	proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
+	COUNT_BYTES_SUBR(4);
+
+        /* dissect standard 8-byte timestamps */
+	offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
+	if (*trunc) {
+	  return offset;
+	}
+
+	/* end of file */
+	CHECK_BYTE_COUNT_SUBR(8);
+	proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
+	COUNT_BYTES_SUBR(8);
+
+	/* allocation size */
+	CHECK_BYTE_COUNT_SUBR(8);
+	proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
+	COUNT_BYTES_SUBR(8);
+
+	/* Extended File Attributes */
+	CHECK_BYTE_COUNT_SUBR(4);
+	offset = dissect_file_ext_attr(tvb, tree, offset);
+	*bcp -= 4;
+
+	/* file name len */
+	CHECK_BYTE_COUNT_SUBR(4);
+	fn_len = tvb_get_letohl(tvb, offset);
+	proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
+	COUNT_BYTES_SUBR(4);
+
+	/*
+	 * EA length.
+	 *
+	 * XXX - in one captures, this has the topmost bit set, and the
+	 * rest of the bits have the value 7.  Is the topmost bit being
+	 * set some indication that the value *isn't* the length of
+	 * the EAs?
+	 */
+	CHECK_BYTE_COUNT_SUBR(4);
+	proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
+	COUNT_BYTES_SUBR(4);
+
+	/* skip 4 bytes */
+	COUNT_BYTES_SUBR(4);
+
+	CHECK_BYTE_COUNT_SUBR(8);
+	proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
+	COUNT_BYTES_SUBR(8);
+
+	/* file name */
+	fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
+	CHECK_STRING_SUBR(fn);
+	proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
+		fn);
+	COUNT_BYTES_SUBR(fn_len);
+
+	if (check_col(pinfo->cinfo, COL_INFO)) {
+		col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
+		    format_text(fn, strlen(fn)));
+	}
+
+	/* skip to next structure */
+	if(neo){
+		padcnt = (old_offset + neo) - offset;
+		if (padcnt < 0) {
+			/*
+			 * XXX - this is bogus; flag it?
+			 */
+			padcnt = 0;
+		}
+		if (padcnt != 0) {
+			CHECK_BYTE_COUNT_SUBR(padcnt);
+			COUNT_BYTES_SUBR(padcnt);
+		}
+	}
+
+	proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
+	proto_item_set_len(item, offset-old_offset);
+
+	*trunc = FALSE;
+	return offset;
+}
+
+static int
+dissect_4_3_4_6_id_both(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
+    int offset, guint16 *bcp, gboolean *trunc)
+{
+	int fn_len, sfn_len;
+	const char *fn, *sfn;
+	int old_offset = offset;
+	proto_item *item = NULL;
+	proto_tree *tree = NULL;
+	smb_info_t *si;
+	guint32 neo;
+	int padcnt;
+
+	si = (smb_info_t *)pinfo->private_data;
+	DISSECTOR_ASSERT(si);
+
+	if(parent_tree){
+		tvb_ensure_bytes_exist(tvb, offset, *bcp);
+		item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
+		    val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
+		tree = proto_item_add_subtree(item, ett_smb_ff2_data);
+	}
+
+	/*
+	 * XXX - I have not seen any of these that contain a resume
+	 * key, even though some of the requests had the "return resume
+	 * key" flag set.
+	 */
+
+	/* next entry offset */
+	CHECK_BYTE_COUNT_SUBR(4);
+	neo = tvb_get_letohl(tvb, offset);
+	proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
+	COUNT_BYTES_SUBR(4);
+
+	/* file index */
+	CHECK_BYTE_COUNT_SUBR(4);
+	proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
+	COUNT_BYTES_SUBR(4);
+
+        /* dissect standard 8-byte timestamps */
+	offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
+	if (*trunc) {
+	  return offset;
+	}
+
+	/* end of file */
+	CHECK_BYTE_COUNT_SUBR(8);
+	proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
+	COUNT_BYTES_SUBR(8);
+
+	/* allocation size */
+	CHECK_BYTE_COUNT_SUBR(8);
+	proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
+	COUNT_BYTES_SUBR(8);
+
+	/* Extended File Attributes */
+	CHECK_BYTE_COUNT_SUBR(4);
+	offset = dissect_file_ext_attr(tvb, tree, offset);
+	*bcp -= 4;
+
+	/* file name len */
+	CHECK_BYTE_COUNT_SUBR(4);
+	fn_len = tvb_get_letohl(tvb, offset);
+	proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
+	COUNT_BYTES_SUBR(4);
+
+	/*
+	 * EA length.
+	 *
+	 * XXX - in one captures, this has the topmost bit set, and the
+	 * rest of the bits have the value 7.  Is the topmost bit being
+	 * set some indication that the value *isn't* the length of
+	 * the EAs?
+	 */
+	CHECK_BYTE_COUNT_SUBR(4);
+	proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
+	COUNT_BYTES_SUBR(4);
+
+	/* short file name len */
+	CHECK_BYTE_COUNT_SUBR(1);
+	sfn_len = tvb_get_guint8(tvb, offset);
+	proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
+	COUNT_BYTES_SUBR(1);
+
+	/* reserved byte */
+	CHECK_BYTE_COUNT_SUBR(1);
+	proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
+	COUNT_BYTES_SUBR(1);
+
+	/* short file name - it's not always in Unicode */
+	sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
+	CHECK_STRING_SUBR(sfn);
+	proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
+		sfn);
+	COUNT_BYTES_SUBR(24);
+
+	/* reserved bytes */
+	CHECK_BYTE_COUNT_SUBR(2);
+	proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
+	COUNT_BYTES_SUBR(2);
+
+	/* file id */
+	CHECK_BYTE_COUNT_SUBR(8);
+	proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
+	COUNT_BYTES_SUBR(8);
+
+	/* file name */
+	fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
+	CHECK_STRING_SUBR(fn);
+	proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
+		fn);
+	COUNT_BYTES_SUBR(fn_len);
+
+	if (check_col(pinfo->cinfo, COL_INFO)) {
+		col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
+		    format_text(fn, strlen(fn)));
+	}
+
+	/* skip to next structure */
+	if(neo){
+		padcnt = (old_offset + neo) - offset;
+		if (padcnt < 0) {
+			/*
+			 * XXX - this is bogus; flag it?
+			 */
+			padcnt = 0;
+		}
+		if (padcnt != 0) {
+			CHECK_BYTE_COUNT_SUBR(padcnt);
+			COUNT_BYTES_SUBR(padcnt);
+		}
+	}
+
+	proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
+	proto_item_set_len(item, offset-old_offset);
+
+	*trunc = FALSE;
+	return offset;
+}
+
+static int
+ dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
+     int offset, guint16 *bcp, gboolean *trunc)
+ {
+@@ -14129,6 +14392,14 @@ dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
+ 		offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
+ 		    trunc);
+ 		break;
+	case 0x0105:	/*Find File Full Directory Info*/
+		offset = dissect_4_3_4_6full(tvb, pinfo, tree, offset, bcp,
+		    trunc);
+		break;
+	case 0x0106:	/*Find File Id Both Directory Info*/
+		offset = dissect_4_3_4_6_id_both(tvb, pinfo, tree, offset, bcp,
+		    trunc);
+		break;
+ 	case 0x0202:	/*Find File UNIX*/
+ 		offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
+ 		    trunc);
+-- 
+1.6.6.1
+
--- a/wireshark.spec
+++ b/wireshark.spec
@ -15,7 +15,7 @@ Version:	1.2.6
 %if %{svn_version}
 Release: 	0.%{svn_version}%{?dist}
 %else
-Release: 	1%{?dist}
+Release: 	2%{?dist}
 %endif
 License: 	GPL+
 Group: 		Applications/Internet
@ -36,6 +36,8 @@ Patch4:		wireshark-1.1.2-nfs41-backchnl-decode.patch
 Patch5:		wireshark-1.2.4-filter_null.patch
 Patch6:		wireshark-1.2.4-enable_lua.patch
 Patch7:		wireshark-1.2.4-disable_warning_dialog.patch
+Patch8:		wireshark-1.2.6-nfs40-backchnl-decode.patch
+Patch9:		wireshark-1.2.6-smb-find-full-dir-info.patch

 Url: 		http://www.wireshark.org/
 BuildRoot: 	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -120,6 +122,8 @@ and plugins.
 %endif

 %patch7 -p1 -b .dialog
+%patch8 -p1
+%patch9 -p1

 %build
 %ifarch s390 s390x sparcv9 sparc64
@ -319,6 +323,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_sbindir}/idl2wrs

 %changelog
+* Tue Mar 16 2010 Jeff Layton <jlayton@redhat.com> - 1.2.6-2
+- add patch to allow decode of NFSv4.0 callback channel
+- add patch to allow decode of more SMB FIND_FILE infolevels
+
 * Fri Jan 29 2010 Radek Vokal <rvokal@redhat.com> - 1.2.6-1
 - upgrade to 1.2.6
 - see http://www.wireshark.org/docs/relnotes/wireshark-1.2.6.html