print-smb.c

Windump3.6.2源代码

{SMBmove,"SMBmove",0,
   {"TreeID2=[d]\nOFun=[w]\nFlags=[w]\n","Path=[S]\nNewPath=[S]\n",
    "MoveCount=[d]\n","|ErrStr=[S]\n",NULL}},

{SMBopenX,"SMBopenX",FLG_CHAIN,
{"Com2=[w]\nOff2=[d]\nFlags=[w]\nMode=[w]\nSearchAttrib=[A]\nAttrib=[A]\nTime=[T2]OFun=[w]\nSize=[D]\nTimeOut=[D]\nRes=[W]\n","Path=[S]\n",
"Com2=[w]\nOff2=[d]\nHandle=[d]\nAttrib=[A]\nTime=[T2]Size=[D]\nAccess=[w]\nType=[w]\nState=[w]\nAction=[w]\nFileID=[W]\nRes=[w]\n",NULL,NULL}},

{SMBreadX,"SMBreadX",FLG_CHAIN,
{"Com2=[w]\nOff2=[d]\nHandle=[d]\nOffset=[D]\nMaxCount=[d]\nMinCount=[d]\nTimeOut=[D]\nCountLeft=[d]\n",NULL,
"Com2=[w]\nOff2=[d]\nRemaining=[d]\nRes=[W]\nDataSize=[d]\nDataOff=[d]\nRes=([w,w,w,w])\n",NULL,NULL}},

{SMBwriteX,"SMBwriteX",FLG_CHAIN,
{"Com2=[w]\nOff2=[d]\nHandle=[d]\nOffset=[D]\nTimeOut=[D]\nWMode=[w]\nCountLeft=[d]\nRes=[w]\nDataSize=[d]\nDataOff=[d]\n",NULL,
"Com2=[w]\nOff2=[d]\nCount=[d]\nRemaining=[d]\nRes=[W]\n",NULL,NULL}},

{SMBlockingX,"SMBlockingX",FLG_CHAIN,
{"Com2=[w]\nOff2=[d]\nHandle=[d]\nLockType=[w]\nTimeOut=[D]\nUnlockCount=[d]\nLockCount=[d]\n",
"*Process=[d]\nOffset=[D]\nLength=[D]\n",
"Com2=[w]\nOff2=[d]\n"}},

{SMBffirst,"SMBffirst",0,
{"Count=[d]\nAttrib=[A]\n","Path=[Z]\nBlkType=[B]\nBlkLen=[d]\n|Res1=[B]\nMask=[s11]\nSrv1=[B]\nDirIndex=[d]\nSrv2=[w]\n",
"Count=[d]\n","BlkType=[B]\nBlkLen=[d]\n*\nRes1=[B]\nMask=[s11]\nSrv1=[B]\nDirIndex=[d]\nSrv2=[w]\nRes2=[W]\nAttrib=[a]\nTime=[T1]Size=[D]\nName=[s13]\n",NULL}},

{SMBfunique,"SMBfunique",0,
{"Count=[d]\nAttrib=[A]\n","Path=[Z]\nBlkType=[B]\nBlkLen=[d]\n|Res1=[B]\nMask=[s11]\nSrv1=[B]\nDirIndex=[d]\nSrv2=[w]\n",
"Count=[d]\n","BlkType=[B]\nBlkLen=[d]\n*\nRes1=[B]\nMask=[s11]\nSrv1=[B]\nDirIndex=[d]\nSrv2=[w]\nRes2=[W]\nAttrib=[a]\nTime=[T1]Size=[D]\nName=[s13]\n",NULL}},

{SMBfclose,"SMBfclose",0,
{"Count=[d]\nAttrib=[A]\n","Path=[Z]\nBlkType=[B]\nBlkLen=[d]\n|Res1=[B]\nMask=[s11]\nSrv1=[B]\nDirIndex=[d]\nSrv2=[w]\n",
"Count=[d]\n","BlkType=[B]\nBlkLen=[d]\n*\nRes1=[B]\nMask=[s11]\nSrv1=[B]\nDirIndex=[d]\nSrv2=[w]\nRes2=[W]\nAttrib=[a]\nTime=[T1]Size=[D]\nName=[s13]\n",NULL}},

{SMBfindnclose, "SMBfindnclose", 0,
   {"Handle=[d]\n",NULL,NULL,NULL,NULL}},

{SMBfindclose, "SMBfindclose", 0,
   {"Handle=[d]\n",NULL,NULL,NULL,NULL}},

{SMBsends,"SMBsends",0,
   {NULL,"Source=[Z]\nDest=[Z]\n",NULL,NULL,NULL}},

{SMBsendstrt,"SMBsendstrt",0,
   {NULL,"Source=[Z]\nDest=[Z]\n","GroupID=[d]\n",NULL,NULL}},
   
{SMBsendend,"SMBsendend",0,
   {"GroupID=[d]\n",NULL,NULL,NULL,NULL}},

{SMBsendtxt,"SMBsendtxt",0,
   {"GroupID=[d]\n",NULL,NULL,NULL,NULL}},

{SMBsendb,"SMBsendb",0,
   {NULL,"Source=[Z]\nDest=[Z]\n",NULL,NULL,NULL}},

{SMBfwdname,"SMBfwdname",0,DEFDESCRIPT},
{SMBcancelf,"SMBcancelf",0,DEFDESCRIPT},
{SMBgetmac,"SMBgetmac",0,DEFDESCRIPT},

{SMBnegprot,"SMBnegprot",0,
   {NULL,NULL,NULL,NULL,print_negprot}},

{SMBsesssetupX,"SMBsesssetupX",FLG_CHAIN,
   {NULL,NULL,NULL,NULL,print_sesssetup}},

{SMBtconX,"SMBtconX",FLG_CHAIN,
{"Com2=[w]\nOff2=[d]\nFlags=[w]\nPassLen=[d]\nPasswd&Path&Device=\n",NULL,
 "Com2=[w]\nOff2=[d]\n","ServiceType=[S]\n",NULL}},

{SMBtrans2, "SMBtrans2",0,{NULL,NULL,NULL,NULL,print_trans2}},

{SMBtranss2, "SMBtranss2", 0,DEFDESCRIPT},
{SMBctemp,"SMBctemp",0,DEFDESCRIPT},
{SMBreadBs,"SMBreadBs",0,DEFDESCRIPT},
{SMBtrans,"SMBtrans",0,{NULL,NULL,NULL,NULL,print_trans}},

{SMBnttrans,"SMBnttrans", 0, DEFDESCRIPT},
{SMBnttranss,"SMBnttranss", 0, DEFDESCRIPT},

{SMBntcreateX,"SMBntcreateX", FLG_CHAIN, 
{"Com2=[w]\nOff2=[d]\nRes=[b]\nNameLen=[d]\nFlags=[W]\nRootDirectoryFid=[D]\nAccessMask=[W]\nAllocationSize=[L]\nExtFileAttributes=[W]\nShareAccess=[W]\nCreateDisposition=[W]\nCreateOptions=[W]\nImpersonationLevel=[W]\nSecurityFlags=[b]\n","Path=[S]\n",
	 "Com2=[w]\nOff2=[d]\nOplockLevel=[b]\nFid=[d]\nCreateAction=[W]\nCreateTime=[T3]LastAccessTime=[T3]LastWriteTime=[T3]ChangeTime=[T3]ExtFileAttributes=[W]\nAllocationSize=[L]\nEndOfFile=[L]\nFileType=[w]\nDeviceState=[w]\nDirectory=[b]\n", NULL}},

{SMBntcancel,"SMBntcancel", 0, DEFDESCRIPT},

{-1,NULL,0,DEFDESCRIPT}};


/*******************************************************************
print a SMB message
********************************************************************/
static void print_smb(const uchar *buf, const uchar *maxbuf)
{
  int command;
  const uchar *words, *data;
  struct smbfns *fn;
  char *fmt_smbheader = 
"[P4]SMB Command   =  [B]\nError class   =  [BP1]\nError code    =  [d]\nFlags1        =  [B]\nFlags2        =  [B][P13]\nTree ID       =  [d]\nProc ID       =  [d]\nUID           =  [d]\nMID           =  [d]\nWord Count    =  [b]\n";

  request = (CVAL(buf,9)&0x80)?0:1;

  command = CVAL(buf,4);

  fn = smbfind(command,smb_fns);

  printf("\nSMB PACKET: %s (%s)\n",fn->name,request?"REQUEST":"REPLY");

  if (vflag == 0) return;

  /* print out the header */
  fdata(buf,fmt_smbheader,buf+33);

  if (CVAL(buf,5)) {
    int class = CVAL(buf,5);
    int num = SVAL(buf,7);
    printf("SMBError = %s\n",smb_errstr(class,num));
  }

  words = buf+32;
  data = words + 1 + CVAL(words,0)*2;


  while (words && data)
    {
      char *f1,*f2;
      int wct = CVAL(words,0);

      if (request) {
	f1 = fn->descript.req_f1;
	f2 = fn->descript.req_f2;
      } else {
	f1 = fn->descript.rep_f1;
	f2 = fn->descript.rep_f2;
      }

      if (fn->descript.fn) {
	fn->descript.fn(words,data,buf,maxbuf);
      } else {
	if (f1) {
	  printf("smbvwv[]=\n");
	  fdata(words+1,f1,words + 1 + wct*2);
	} else if (wct) {
	  int i;
	  int v;
	  printf("smbvwv[]=\n");
	  for (i=0;i<wct;i++) {
	    v = SVAL(words+1,2*i);
	    printf("smb_vwv[%d]=%d (0x%X)\n",i,v,v);
	  }
	}
	
	if (f2) {
	  printf("smbbuf[]=\n");
	  fdata(data+2,f2,maxbuf);
	} else {
	  int bcc = SVAL(data,0);
	  printf("smb_bcc=%d\n",bcc);
	  if (bcc>0) {
	    printf("smb_buf[]=\n");
	    print_data(data + 2, MIN(bcc,PTR_DIFF(maxbuf,data+2)));
	  }
	}
      }

      if ((fn->flags & FLG_CHAIN) && CVAL(words,0) && SVAL(words,1)!=0xFF) {
	command = SVAL(words,1);
	words = buf + SVAL(words,3);
	data = words + 1 + CVAL(words,0)*2;

	fn = smbfind(command,smb_fns);

	printf("\nSMB PACKET: %s (%s) (CHAINED)\n",fn->name,request?"REQUEST":"REPLY");
      } else {
	words = data = NULL;
      }
    }

  printf("\n");  
}


/*
   print a NBT packet received across tcp on port 139
*/
void nbt_tcp_print(const uchar *data,int length)
{
  const uchar *maxbuf = data + length;
  int flags = CVAL(data,0);
  int nbt_len = RSVAL(data,2);

  startbuf = data;
  if (maxbuf <= data) return;

  printf("\n>>> NBT Packet\n");

  switch (flags) {
  case 1:    
    printf("flags=0x%x\n", flags);
  case 0:    
    data = fdata(data,"NBT Session Packet\nFlags=[rw]\nLength=[rd]\n",data+4);
    if (data == NULL)
      break;
    if (memcmp(data,"\377SMB",4)==0) {
      if (nbt_len>PTR_DIFF(maxbuf,data))
	printf("WARNING: Short packet. Try increasing the snap length (%ld)\n",
	       PTR_DIFF(maxbuf,data));
      print_smb(data,maxbuf>data+nbt_len?data+nbt_len:maxbuf);
    } else {
	    printf("Session packet:(raw data?)\n");
    }
    break;

  case 0x81:
    data = fdata(data,"NBT Session Request\nFlags=[rW]\nDestination=[n1]\nSource=[n1]\n",maxbuf);
    break;

  case 0x82:
    data = fdata(data,"NBT Session Granted\nFlags=[rW]\n",maxbuf);
    break;

  case 0x83:
    {
      int ecode = CVAL(data,4);
      data = fdata(data,"NBT SessionReject\nFlags=[rW]\nReason=[B]\n",maxbuf);
      switch (ecode) {
      case 0x80: 
	printf("Not listening on called name\n"); 
	break;
      case 0x81: 
	printf("Not listening for calling name\n"); 
	break;
      case 0x82: 
	printf("Called name not present\n"); 
	break;
      case 0x83: 
	printf("Called name present, but insufficient resources\n"); 
	break;
      default:
	printf("Unspecified error 0x%X\n",ecode); 
	break;	  
      }
    }
    break;

  case 0x85:
    data = fdata(data,"NBT Session Keepalive\nFlags=[rW]\n",maxbuf);
    break;

  default:
    printf("flags=0x%x\n", flags);
    data = fdata(data,"NBT - Unknown packet type\nType=[rW]\n",maxbuf);
  }
  printf("\n");
  fflush(stdout);
}


/*
   print a NBT packet received across udp on port 137
*/
void nbt_udp137_print(const uchar *data, int length)
{
  const uchar *maxbuf = data + length;
  int name_trn_id = RSVAL(data,0);
  int response = (CVAL(data,2)>>7);
  int opcode = (CVAL(data,2) >> 3) & 0xF;
  int nm_flags = ((CVAL(data,2) & 0x7) << 4) + (CVAL(data,3)>>4);
  int rcode = CVAL(data,3) & 0xF;
  int qdcount = RSVAL(data,4);
  int ancount = RSVAL(data,6);
  int nscount = RSVAL(data,8);
  int arcount = RSVAL(data,10);
  char *opcodestr;  
  const char *p;

  startbuf = data;

  if (maxbuf <= data) return;

  printf("\n>>> NBT UDP PACKET(137): ");

  switch (opcode) {
  case 0: opcodestr = "QUERY"; break;
  case 5: opcodestr = "REGISTRATION"; break;
  case 6: opcodestr = "RELEASE"; break;
  case 7: opcodestr = "WACK"; break;
  case 8: opcodestr = "REFRESH(8)"; break;
  case 9: opcodestr = "REFRESH"; break;
  default: opcodestr = "OPUNKNOWN"; break;
  }
  printf("%s", opcodestr);
  if (response) {
    if (rcode)
      printf("; NEGATIVE");
    else
      printf("; POSITIVE");
  }
    
  if (response) 
    printf("; RESPONSE");
  else
    printf("; REQUEST");

  if (nm_flags&1)
    printf("; BROADCAST");
  else
    printf("; UNICAST");
  
  if (vflag == 0) return;

  printf("\nTrnID=0x%X\nOpCode=%d\nNmFlags=0x%X\nRcode=%d\nQueryCount=%d\nAnswerCount=%d\nAuthorityCount=%d\nAddressRecCount=%d\n",
	 name_trn_id,opcode,nm_flags,rcode,qdcount,ancount,nscount,arcount);

  p = data + 12;

  {
    int total = ancount+nscount+arcount;
    int i;

    if (qdcount>100 || total>100) {
      printf("Corrupt packet??\n");
      return;
    }

    if (qdcount) {
      printf("QuestionRecords:\n");
      for (i=0;i<qdcount;i++)
	p = fdata(p,"|Name=[n1]\nQuestionType=[rw]\nQuestionClass=[rw]\n#",maxbuf);
	if (p == NULL)
	  goto out;
    }

    if (total) {
      printf("\nResourceRecords:\n");
      for (i=0;i<total;i++) {	  
	int rdlen;
	int restype;
	p = fdata(p,"Name=[n1]\n#",maxbuf);
	if (p == NULL)
	  goto out;
	restype = RSVAL(p,0);
	p = fdata(p,"ResType=[rw]\nResClass=[rw]\nTTL=[rD]\n",p+8);
	if (p == NULL)
	  goto out;
	rdlen = RSVAL(p,0);
	printf("ResourceLength=%d\nResourceData=\n",rdlen);
	p += 2;
	if (rdlen == 6) {
	  p = fdata(p,"AddrType=[rw]\nAddress=[b.b.b.b]\n",p+rdlen);
	  if (p == NULL)
	    goto out;
	} else {
	  if (restype == 0x21) {
	    int numnames = CVAL(p,0);
	    p = fdata(p,"NumNames=[B]\n",p+1);
	    if (p == NULL)
	      goto out;
	    while (numnames--) {
	      p = fdata(p,"Name=[n2]\t#",maxbuf);
	      if (p[0] & 0x80) printf("<GROUP> ");
	      switch (p[0] & 0x60) {
	      case 0x00: printf("B "); break;
	      case 0x20: printf("P "); break;
	      case 0x40: printf("M "); break;
	      case 0x60: printf("_ "); break;
	      }
	      if (p[0] & 0x10) printf("<DEREGISTERING> ");
	      if (p[0] & 0x08) printf("<CONFLICT> ");
	      if (p[0] & 0x04) printf("<ACTIVE> ");
	      if (p[0] & 0x02) printf("<PERMANENT> ");
	      printf("\n");
	      p += 2;
	    }
	  } else {
	    print_data(p,rdlen);
	    p += rdlen;
	  }
	}
      }
    }
  }

  if ((uchar*)p < maxbuf) {
    fdata(p,"AdditionalData:\n",maxbuf);    
  }      
  
out:
  printf("\n");
  fflush(stdout);
}



/*
   print a NBT packet received across udp on port 138
*/
void nbt_udp138_print(const uchar *data, int length)
{
  const uchar *maxbuf = data + length;
  startbuf = data;
  if (maxbuf <= data) return;

  data = fdata(data,"\n>>> NBT UDP PACKET(138) Res=[rw] ID=[rw] IP=[b.b.b.b] Port=[rd] Length=[rd] Res2=[rw]\nSourceName=[n1]\nDestName=[n1]\n#",maxbuf);

  if (data != NULL)
    print_smb(data,maxbuf);
  
  printf("\n");
  fflush(stdout);
}



/*
   print netbeui frames 
*/
void netbeui_print(u_short control, const uchar *data, const uchar *maxbuf)
{
  int len = SVAL(data,0);
  int command = CVAL(data,4);
  const uchar *data2 = data + len;
  int is_truncated = 0;

  if (data2 >= maxbuf) {
    data2 = maxbuf;
    is_truncated = 1;
  }

  startbuf = data;

  printf("\n>>> NetBeui Packet\nType=0x%X ", control);
  data = fdata(data,"Length=[d] Signature=[w] Command=[B]\n#",maxbuf);
  if (data == NULL)
    goto out;

  switch (command) {
  case 0xA: 
    data = fdata(data,"NameQuery:[P1]\nSessionNumber=[B]\nNameType=[B][P2]\nResponseCorrelator=[w]\nDestination=[n2]\nSource=[n2]\n",data2);
    break;

  case 0x8:
    data = fdata(data,"NetbiosDataGram:[P7]\nDestination=[n2]\nSource=[n2]\n",data2);
    break;

  case 0xE:
    data = fdata(data,"NameRecognise:\n[P1]\nData2=[w]\nTransmitCorrelator=[w]\nResponseCorelator=[w]\nDestination=[n2]\nSource=[n2]\n",data2);
    break;

  case 0x19:
    data = fdata(data,"SessionInitialise:\nData1=[B]\nData2=[w]\nTransmitCorrelator=[w]\nResponseCorelator=[w]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n",data2);
    break;

  case 0x17:
    data = fdata(data,"SessionConfirm:\nData1=[B]\nData2=[w]\nTransmitCorrelator=[w]\nResponseCorelator=[w]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n",data2);
    break;

  case 0x16:
    data = fdata(data,"NetbiosDataOnlyLast:\nFlags=[{|NO_ACK|PIGGYBACK_ACK_ALLOWED|PIGGYBACK_ACK_INCLUDED|}]\nResyncIndicator=[w][P2]\nResponseCorelator=[w]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n",data2);
    break;

  case 0x14:
    data = fdata(data,"NetbiosDataAck:\n[P3]TransmitCorrelator=[w][P2]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n",data2);
    break;

  case 0x18:
    data = fdata(data,"SessionEnd:\n[P1]Data2=[w][P4]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n",data2);
    break;

  case 0x1f:
    data = fdata(data,"SessionAlive\n",data2);
    break;

  default:
    data = fdata(data,"Unknown Netbios Command ",data2);
    break;
  }
  if (data == NULL)
    goto out;

  if (is_truncated) {
    /* data2 was past the end of the buffer */
    goto out;
  }

  if (memcmp(data2,"\377SMB",4)==0) {
    print_smb(data2,maxbuf);
  } else {
    int i;
    for (i=0;i<128;i++) {
      if (&data2[i] >= maxbuf)
        break;
      if (memcmp(&data2[i],"\377SMB",4)==0) {
	printf("found SMB packet at %d\n", i);
	print_smb(&data2[i],maxbuf);
	break;
      }
    }
  }

out:
  printf("\n");
}


/*
   print IPX-Netbios frames 
*/
void ipx_netbios_print(const uchar *data, const uchar *maxbuf)
{
  /* this is a hack till I work out how to parse the rest of the IPX stuff */
  int i;
  startbuf = data;
  for (i=0;i<128;i++)
    if (memcmp(&data[i],"\377SMB",4)==0) {
      fdata(data,"\n>>> IPX transport ",&data[i]);
      if (data != NULL)
	print_smb(&data[i],maxbuf);
      printf("\n");
      fflush(stdout);
      break;
    }
  if (i==128)
    fdata(data,"\n>>> Unknown IPX ",maxbuf);
}