rpms/wireshark
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add patches for NFSv4.0 callback channel decode and decoders for more SMB

Browse Source 
FIND_FILE infolevels
This commit is contained in:
Jeff Layton 2010-03-16 14:22:22 +00:00
parent 94574385b7
commit ddc891d809
3 changed files with 472 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
wireshark-1.2.6-nfs40-backchnl-decode.patch Normal file
View File

@ -0,0 +1,155 @@
From 531ee0b54e7406992f9eefc60fbbbd4534116f99 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@redhat.com>
Date: Tue, 9 Mar 2010 12:25:50 -0500
Subject: [PATCH] Dynamically register callback dissector based on the NFSv4.0 SETCLIENTID
args (the equivalent of what had already been done for NFSv4.1
CREATE_SESSION).
Fix CB_LAYOUTRECALL dissecting: the recall type wasn't getting parsed,
so some of the layout recall info wasn't being displayed.
Parse CB_SEQUENCE's referring call lists.
---
epan/dissectors/packet-nfs.c | 68 +++++++++++++++++++++++++++++++++++------
1 files changed, 58 insertions(+), 10 deletions(-)
diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c
index 82ebfe4..fa475b7 100644
--- a/epan/dissectors/packet-nfs.c
+++ b/epan/dissectors/packet-nfs.c
@@ -7723,7 +7723,10 @@ dissect_nfs_cb_client4(tvbuff_t *tvb, int offset, proto_tree *tree)
{
proto_tree *cb_location = NULL;
proto_item *fitem = NULL;
+ int cbprog;
+ cbprog = tvb_get_ntohl(tvb, offset);
+ reg_callback(cbprog);
offset = dissect_rpc_uint32(tvb, tree, hf_nfs_cb_program, offset);
fitem = proto_tree_add_text(tree, tvb, offset, 0, "cb_location");
@@ -9646,6 +9649,8 @@ static gint ett_nfs_cb_wantscancelled = -1;
static gint ett_nfs_cb_notifylock = -1;
static gint ett_nfs_cb_notifydeviceid = -1;
static gint ett_nfs_cb_notify = -1;
+static gint ett_nfs_cb_reflists = -1;
+static gint ett_nfs_cb_refcalls = -1;
static gint ett_nfs_cb_illegal = -1;
static const value_string names_nfs_cb_operation[] = {
@@ -9683,16 +9688,56 @@ gint *nfs_cb_operation_ett[] =
};
static int
+dissect_nfs_cb_referring_calls(tvbuff_t *tvb, int offset, proto_tree *tree)
+{
+ guint num_reflists, num_refcalls, i, j;
+ proto_item *rl_item, *rc_item;
+ proto_tree *rl_tree = NULL, *rc_tree = NULL;
+
+ num_reflists = tvb_get_ntohl(tvb, offset);
+ rl_item = proto_tree_add_text(tree, tvb, offset, 4,
+ "referring call lists (count: %u)", num_reflists);
+ offset += 4;
+ if (num_reflists == 0)
+ return offset;
+
+ rl_tree = proto_item_add_subtree(rl_item, ett_nfs_cb_reflists);
+
+ for (i = 0; i < num_reflists; i++) {
+ offset = dissect_rpc_opaque_data(tvb, offset, rl_tree, NULL,
+ hf_nfs_sessionid4, TRUE, 16, FALSE, NULL, NULL);
+ num_refcalls = tvb_get_ntohl(tvb, offset);
+ rc_item = proto_tree_add_text(rl_tree, tvb, offset, 4,
+ "referring calls (count: %u)", num_refcalls);
+ offset += 4;
+ for (j = 0; j < num_refcalls; j++) {
+ rc_tree = proto_item_add_subtree(rc_item, ett_nfs_cb_refcalls);
+ offset = dissect_rpc_uint32(tvb, rc_tree, hf_nfs_seqid4, offset);
+ offset = dissect_rpc_uint32(tvb, rc_tree, hf_nfs_slotid4, offset);
+ }
+ }
+
+ return offset;
+}
+
+static int
dissect_nfs_cb_layoutrecall(tvbuff_t *tvb, int offset, proto_tree *tree, packet_info *pinfo)
{
- guint recalltype = hf_nfs_layouttype4;
+ guint recall_type;
- if (recalltype == 1) { /* RETURN_FILE */
+ offset = dissect_rpc_uint32(tvb, tree, hf_nfs_layouttype4, offset);
+ offset = dissect_rpc_uint32(tvb, tree, hf_nfs_iomode4, offset);
+ offset = dissect_rpc_bool(tvb, tree, hf_nfs_cb_clorachanged, offset);
+
+ recall_type = tvb_get_ntohl(tvb, offset);
+ offset = dissect_rpc_uint32(tvb, tree, hf_nfs_cb_layoutrecall_type, offset);
+
+ if (recall_type == 1) { /* RECALL_FILE */
offset = dissect_nfs_fh4(tvb, offset, pinfo, tree, "filehandle");
offset = dissect_rpc_uint64(tvb, tree, hf_nfs_offset4, offset);
offset = dissect_rpc_uint64(tvb, tree, hf_nfs_length4, offset);
offset = dissect_nfs_stateid4(tvb, offset, tree);
- } else if (recalltype == 2) { /* RETURN_FSID */
+ } else if (recall_type == 2) { /* RECALL_FSID */
offset = dissect_nfs_fsid4(tvb, offset, tree, "fsid");
}
@@ -9748,9 +9793,6 @@ dissect_nfs_cb_argop(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *
break;
case NFS4_OP_CB_GETATTR:
case NFS4_OP_CB_LAYOUTRECALL:
- offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_layouttype4, offset);
- offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_iomode4, offset);
- offset = dissect_rpc_bool(tvb, newftree, hf_nfs_cb_clorachanged, offset);
offset = dissect_nfs_cb_layoutrecall(tvb, offset, newftree, pinfo);
break;
case NFS4_OP_CB_NOTIFY:
@@ -9766,8 +9808,7 @@ dissect_nfs_cb_argop(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *
offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_slotid4, offset);
offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_slotid4, offset);
offset = dissect_rpc_bool(tvb, newftree, hf_nfs_cachethis4, offset);
- /* skip refs -- assume 0 */
- offset = offset + 4;
+ offset = dissect_nfs_cb_referring_calls(tvb, offset, newftree);
break;
case NFS4_OP_CB_WANTS_CANCELLED:
case NFS4_OP_CB_NOTIFY_LOCK:
@@ -9920,8 +9961,13 @@ void reg_callback(int cbprog)
/* Register the protocol as RPC */
rpc_init_prog(proto_nfs, cbprog, ett_nfs);
- /* Register the procedure tables */
+ /*
+ * Register the procedure tables. The version should be 4,
+ * but some Linux kernels set this field to 1. "Temporarily",
+ * accomodate these servers.
+ */
rpc_init_proc_table(cbprog, 1, nfs_cb_proc, hf_nfs_cb_procedure);
+ rpc_init_proc_table(cbprog, 4, nfs_cb_proc, hf_nfs_cb_procedure);
}
void
@@ -11274,7 +11320,7 @@ proto_register_nfs(void)
"CREATE_SESSION flags", "nfs.create_session_flags", FT_UINT32, BASE_HEX,
NULL, 0, NULL, HFILL }},
{ &hf_nfs_cachethis4, {
- "Cache this?", "nfs.cachethis4", FT_BOOLEAN, BASE_NONE,
+ "cache this?", "nfs.cachethis4", FT_BOOLEAN, BASE_NONE,
TFS(&tfs_yes_no), 0, NULL, HFILL }},
{ &hf_nfs_cb_procedure, {
@@ -11479,6 +11525,8 @@ proto_register_nfs(void)
&ett_nfs_cb_notifylock,
&ett_nfs_cb_notifydeviceid,
&ett_nfs_cb_notify,
+ &ett_nfs_cb_reflists,
+ &ett_nfs_cb_refcalls,
&ett_nfs_cb_illegal,
};
module_t *nfs_module;
--
1.6.6.1

308
wireshark-1.2.6-smb-find-full-dir-info.patch Normal file
View File

@ -0,0 +1,308 @@
From 2856caa1cf3307208864af4c59da8ecb07bc3153 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@redhat.com>
Date: Mon, 8 Mar 2010 19:43:07 -0500
Subject: [PATCH] packet-smb: add more FIND_FILE dissectors
---
epan/dissectors/packet-smb.c | 271 ++++++++++++++++++++++++++++++++++++++++++
1 files changed, 271 insertions(+), 0 deletions(-)
diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c
index 727b290..c9a90b9 100644
--- a/epan/dissectors/packet-smb.c
+++ b/epan/dissectors/packet-smb.c
@@ -10051,6 +10051,8 @@ static const value_string ff2_il_vals[] = {
{ 0x0102, "Find File Full Directory Info"},
{ 0x0103, "Find File Names Info"},
{ 0x0104, "Find File Both Directory Info"},
+ { 0x0105, "Find File Full Directory Info"},
+ { 0x0106, "Find File Id Both Directory Info"},
{ 0x0202, "Find File UNIX"},
{0, NULL}
};
@@ -13900,6 +13902,267 @@ dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
}
static int
+dissect_4_3_4_6full(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
+ int offset, guint16 *bcp, gboolean *trunc)
+{
+ int fn_len;
+ const char *fn;
+ int old_offset = offset;
+ proto_item *item = NULL;
+ proto_tree *tree = NULL;
+ smb_info_t *si;
+ guint32 neo;
+ int padcnt;
+
+ si = (smb_info_t *)pinfo->private_data;
+ DISSECTOR_ASSERT(si);
+
+ if(parent_tree){
+ tvb_ensure_bytes_exist(tvb, offset, *bcp);
+ item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
+ val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
+ tree = proto_item_add_subtree(item, ett_smb_ff2_data);
+ }
+
+ /*
+ * XXX - I have not seen any of these that contain a resume
+ * key, even though some of the requests had the "return resume
+ * key" flag set.
+ */
+
+ /* next entry offset */
+ CHECK_BYTE_COUNT_SUBR(4);
+ neo = tvb_get_letohl(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
+ COUNT_BYTES_SUBR(4);
+
+ /* file index */
+ CHECK_BYTE_COUNT_SUBR(4);
+ proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
+ COUNT_BYTES_SUBR(4);
+
+ /* dissect standard 8-byte timestamps */
+ offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
+ if (*trunc) {
+ return offset;
+ }
+
+ /* end of file */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* allocation size */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Extended File Attributes */
+ CHECK_BYTE_COUNT_SUBR(4);
+ offset = dissect_file_ext_attr(tvb, tree, offset);
+ *bcp -= 4;
+
+ /* file name len */
+ CHECK_BYTE_COUNT_SUBR(4);
+ fn_len = tvb_get_letohl(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
+ COUNT_BYTES_SUBR(4);
+
+ /*
+ * EA length.
+ *
+ * XXX - in one captures, this has the topmost bit set, and the
+ * rest of the bits have the value 7. Is the topmost bit being
+ * set some indication that the value *isn't* the length of
+ * the EAs?
+ */
+ CHECK_BYTE_COUNT_SUBR(4);
+ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
+ COUNT_BYTES_SUBR(4);
+
+ /* skip 4 bytes */
+ COUNT_BYTES_SUBR(4);
+
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* file name */
+ fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
+ CHECK_STRING_SUBR(fn);
+ proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
+ fn);
+ COUNT_BYTES_SUBR(fn_len);
+
+ if (check_col(pinfo->cinfo, COL_INFO)) {
+ col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
+ format_text(fn, strlen(fn)));
+ }
+
+ /* skip to next structure */
+ if(neo){
+ padcnt = (old_offset + neo) - offset;
+ if (padcnt < 0) {
+ /*
+ * XXX - this is bogus; flag it?
+ */
+ padcnt = 0;
+ }
+ if (padcnt != 0) {
+ CHECK_BYTE_COUNT_SUBR(padcnt);
+ COUNT_BYTES_SUBR(padcnt);
+ }
+ }
+
+ proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
+ proto_item_set_len(item, offset-old_offset);
+
+ *trunc = FALSE;
+ return offset;
+}
+
+static int
+dissect_4_3_4_6_id_both(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
+ int offset, guint16 *bcp, gboolean *trunc)
+{
+ int fn_len, sfn_len;
+ const char *fn, *sfn;
+ int old_offset = offset;
+ proto_item *item = NULL;
+ proto_tree *tree = NULL;
+ smb_info_t *si;
+ guint32 neo;
+ int padcnt;
+
+ si = (smb_info_t *)pinfo->private_data;
+ DISSECTOR_ASSERT(si);
+
+ if(parent_tree){
+ tvb_ensure_bytes_exist(tvb, offset, *bcp);
+ item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s",
+ val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)"));
+ tree = proto_item_add_subtree(item, ett_smb_ff2_data);
+ }
+
+ /*
+ * XXX - I have not seen any of these that contain a resume
+ * key, even though some of the requests had the "return resume
+ * key" flag set.
+ */
+
+ /* next entry offset */
+ CHECK_BYTE_COUNT_SUBR(4);
+ neo = tvb_get_letohl(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo);
+ COUNT_BYTES_SUBR(4);
+
+ /* file index */
+ CHECK_BYTE_COUNT_SUBR(4);
+ proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE);
+ COUNT_BYTES_SUBR(4);
+
+ /* dissect standard 8-byte timestamps */
+ offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc);
+ if (*trunc) {
+ return offset;
+ }
+
+ /* end of file */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* allocation size */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* Extended File Attributes */
+ CHECK_BYTE_COUNT_SUBR(4);
+ offset = dissect_file_ext_attr(tvb, tree, offset);
+ *bcp -= 4;
+
+ /* file name len */
+ CHECK_BYTE_COUNT_SUBR(4);
+ fn_len = tvb_get_letohl(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len);
+ COUNT_BYTES_SUBR(4);
+
+ /*
+ * EA length.
+ *
+ * XXX - in one captures, this has the topmost bit set, and the
+ * rest of the bits have the value 7. Is the topmost bit being
+ * set some indication that the value *isn't* the length of
+ * the EAs?
+ */
+ CHECK_BYTE_COUNT_SUBR(4);
+ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE);
+ COUNT_BYTES_SUBR(4);
+
+ /* short file name len */
+ CHECK_BYTE_COUNT_SUBR(1);
+ sfn_len = tvb_get_guint8(tvb, offset);
+ proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len);
+ COUNT_BYTES_SUBR(1);
+
+ /* reserved byte */
+ CHECK_BYTE_COUNT_SUBR(1);
+ proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE);
+ COUNT_BYTES_SUBR(1);
+
+ /* short file name - it's not always in Unicode */
+ sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp);
+ CHECK_STRING_SUBR(sfn);
+ proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24,
+ sfn);
+ COUNT_BYTES_SUBR(24);
+
+ /* reserved bytes */
+ CHECK_BYTE_COUNT_SUBR(2);
+ proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE);
+ COUNT_BYTES_SUBR(2);
+
+ /* file id */
+ CHECK_BYTE_COUNT_SUBR(8);
+ proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE);
+ COUNT_BYTES_SUBR(8);
+
+ /* file name */
+ fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);
+ CHECK_STRING_SUBR(fn);
+ proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len,
+ fn);
+ COUNT_BYTES_SUBR(fn_len);
+
+ if (check_col(pinfo->cinfo, COL_INFO)) {
+ col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
+ format_text(fn, strlen(fn)));
+ }
+
+ /* skip to next structure */
+ if(neo){
+ padcnt = (old_offset + neo) - offset;
+ if (padcnt < 0) {
+ /*
+ * XXX - this is bogus; flag it?
+ */
+ padcnt = 0;
+ }
+ if (padcnt != 0) {
+ CHECK_BYTE_COUNT_SUBR(padcnt);
+ COUNT_BYTES_SUBR(padcnt);
+ }
+ }
+
+ proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn)));
+ proto_item_set_len(item, offset-old_offset);
+
+ *trunc = FALSE;
+ return offset;
+}
+
+static int
dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
int offset, guint16 *bcp, gboolean *trunc)
{
@@ -14129,6 +14392,14 @@ dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo,
offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp,
trunc);
break;
+ case 0x0105: /*Find File Full Directory Info*/
+ offset = dissect_4_3_4_6full(tvb, pinfo, tree, offset, bcp,
+ trunc);
+ break;
+ case 0x0106: /*Find File Id Both Directory Info*/
+ offset = dissect_4_3_4_6_id_both(tvb, pinfo, tree, offset, bcp,
+ trunc);
+ break;
case 0x0202: /*Find File UNIX*/
offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp,
trunc);
--
1.6.6.1

10
wireshark.spec
View File

@ -15,7 +15,7 @@ Version: 1.2.6
%if %{svn_version} %if %{svn_version}
Release: 0.%{svn_version}%{?dist} Release: 0.%{svn_version}%{?dist}
%else %else
Release: 1%{?dist} Release: 2%{?dist}
%endif %endif
License: GPL+ License: GPL+
Group: Applications/Internet Group: Applications/Internet
@ -36,6 +36,8 @@ Patch4: wireshark-1.1.2-nfs41-backchnl-decode.patch
Patch5: wireshark-1.2.4-filter_null.patch Patch5: wireshark-1.2.4-filter_null.patch
Patch6: wireshark-1.2.4-enable_lua.patch Patch6: wireshark-1.2.4-enable_lua.patch
Patch7: wireshark-1.2.4-disable_warning_dialog.patch Patch7: wireshark-1.2.4-disable_warning_dialog.patch
Patch8: wireshark-1.2.6-nfs40-backchnl-decode.patch
Patch9: wireshark-1.2.6-smb-find-full-dir-info.patch
Url: http://www.wireshark.org/ Url: http://www.wireshark.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -120,6 +122,8 @@ and plugins.
%endif %endif
%patch7 -p1 -b .dialog %patch7 -p1 -b .dialog
%patch8 -p1
%patch9 -p1
%build %build
%ifarch s390 s390x sparcv9 sparc64 %ifarch s390 s390x sparcv9 sparc64
@ -319,6 +323,10 @@ rm -rf $RPM_BUILD_ROOT
%{_sbindir}/idl2wrs %{_sbindir}/idl2wrs
%changelog %changelog
* Tue Mar 16 2010 Jeff Layton <jlayton@redhat.com> - 1.2.6-2
- add patch to allow decode of NFSv4.0 callback channel
- add patch to allow decode of more SMB FIND_FILE infolevels
* Fri Jan 29 2010 Radek Vokal <rvokal@redhat.com> - 1.2.6-1 * Fri Jan 29 2010 Radek Vokal <rvokal@redhat.com> - 1.2.6-1
- upgrade to 1.2.6 - upgrade to 1.2.6
- see http://www.wireshark.org/docs/relnotes/wireshark-1.2.6.html - see http://www.wireshark.org/docs/relnotes/wireshark-1.2.6.html