print-smb.c

来自「TCPDUMP的C语言源代码,是在数据链路层的应用」· C语言 代码 · 共 1,511 行 · 第 1/3 页

		data + 4, 0);
	    if (data == NULL)
		break;
	    if (nbt_len >= 4 && caplen >= 4 && memcmp(data,"\377SMB",4) == 0) {
		if ((int)nbt_len > caplen) {
		    if ((int)nbt_len > length)
			printf("WARNING: Packet is continued in later TCP segments\n");
		    else
			printf("WARNING: Short packet. Try increasing the snap length by %d\n",
			    nbt_len - caplen);
		}
		print_smb(data, maxbuf > data + nbt_len ? data + nbt_len : maxbuf);
	    } else
		printf("Session packet:(raw data or continuation?)\n");
	    break;

	case 0x81:
	    data = smb_fdata(data,
		"[P1]NBT Session Request\nFlags=[B]\nLength=[rd]\nDestination=[n1]\nSource=[n1]\n",
		maxbuf, 0);
	    break;

	case 0x82:
	    data = smb_fdata(data, "[P1]NBT Session Granted\nFlags=[B]\nLength=[rd]\n", maxbuf, 0);
	    break;

	case 0x83:
	  {
	    const u_char *origdata;
	    int ecode;

	    origdata = data;
	    data = smb_fdata(data, "[P1]NBT SessionReject\nFlags=[B]\nLength=[rd]\nReason=[B]\n",
		maxbuf, 0);
	    if (data == NULL)
		break;
	    if (nbt_len >= 1 && caplen >= 1) {
		ecode = origdata[4];
		switch (ecode) {
		case 0x80:
		    printf("Not listening on called name\n");
		    break;
		case 0x81:
		    printf("Not listening for calling name\n");
		    break;
		case 0x82:
		    printf("Called name not present\n");
		    break;
		case 0x83:
		    printf("Called name present, but insufficient resources\n");
		    break;
		default:
		    printf("Unspecified error 0x%X\n", ecode);
		    break;
		}
	    }
	  }
	    break;

	case 0x85:
	    data = smb_fdata(data, "[P1]NBT Session Keepalive\nFlags=[B]\nLength=[rd]\n", maxbuf, 0);
	    break;

	default:
	    data = smb_fdata(data, "NBT - Unknown packet type\nType=[B]\n", maxbuf, 0);
	    break;
	}
	printf("\n");
	fflush(stdout);
    }
    return;
trunc:
    printf("[|SMB]");
    return;
}


/*
 * print a NBT packet received across udp on port 137
 */
void
nbt_udp137_print(const u_char *data, int length)
{
    const u_char *maxbuf = data + length;
    int name_trn_id, response, opcode, nm_flags, rcode;
    int qdcount, ancount, nscount, arcount;
    const char *opcodestr;
    const u_char *p;
    int total, i;

    TCHECK2(data[10], 2);
    name_trn_id = EXTRACT_16BITS(data);
    response = (data[2] >> 7);
    opcode = (data[2] >> 3) & 0xF;
    nm_flags = ((data[2] & 0x7) << 4) + (data[3] >> 4);
    rcode = data[3] & 0xF;
    qdcount = EXTRACT_16BITS(data + 4);
    ancount = EXTRACT_16BITS(data + 6);
    nscount = EXTRACT_16BITS(data + 8);
    arcount = EXTRACT_16BITS(data + 10);
    startbuf = data;

    if (maxbuf <= data)
	return;

    if (vflag > 1)
	printf("\n>>> ");

    printf("NBT UDP PACKET(137): ");

    switch (opcode) {
    case 0: opcodestr = "QUERY"; break;
    case 5: opcodestr = "REGISTRATION"; break;
    case 6: opcodestr = "RELEASE"; break;
    case 7: opcodestr = "WACK"; break;
    case 8: opcodestr = "REFRESH(8)"; break;
    case 9: opcodestr = "REFRESH"; break;
    case 15: opcodestr = "MULTIHOMED REGISTRATION"; break;
    default: opcodestr = "OPUNKNOWN"; break;
    }
    printf("%s", opcodestr);
    if (response) {
	if (rcode)
	    printf("; NEGATIVE");
	else
	    printf("; POSITIVE");
    }

    if (response)
	printf("; RESPONSE");
    else
	printf("; REQUEST");

    if (nm_flags & 1)
	printf("; BROADCAST");
    else
	printf("; UNICAST");

    if (vflag < 2)
	return;

    printf("\nTrnID=0x%X\nOpCode=%d\nNmFlags=0x%X\nRcode=%d\nQueryCount=%d\nAnswerCount=%d\nAuthorityCount=%d\nAddressRecCount=%d\n",
	name_trn_id, opcode, nm_flags, rcode, qdcount, ancount, nscount,
	arcount);

    p = data + 12;

    total = ancount + nscount + arcount;

    if (qdcount > 100 || total > 100) {
	printf("Corrupt packet??\n");
	return;
    }

    if (qdcount) {
	printf("QuestionRecords:\n");
	for (i = 0; i < qdcount; i++) {
	    p = smb_fdata(p,
		"|Name=[n1]\nQuestionType=[rw]\nQuestionClass=[rw]\n#",
		maxbuf, 0);
	    if (p == NULL)
		goto out;
	}
    }

    if (total) {
	printf("\nResourceRecords:\n");
	for (i = 0; i < total; i++) {
	    int rdlen;
	    int restype;

	    p = smb_fdata(p, "Name=[n1]\n#", maxbuf, 0);
	    if (p == NULL)
		goto out;
	    restype = EXTRACT_16BITS(p);
	    p = smb_fdata(p, "ResType=[rw]\nResClass=[rw]\nTTL=[rD]\n", p + 8, 0);
	    if (p == NULL)
		goto out;
	    rdlen = EXTRACT_16BITS(p);
	    printf("ResourceLength=%d\nResourceData=\n", rdlen);
	    p += 2;
	    if (rdlen == 6) {
		p = smb_fdata(p, "AddrType=[rw]\nAddress=[b.b.b.b]\n", p + rdlen, 0);
		if (p == NULL)
		    goto out;
	    } else {
		if (restype == 0x21) {
		    int numnames;

		    TCHECK(*p);
		    numnames = p[0];
		    p = smb_fdata(p, "NumNames=[B]\n", p + 1, 0);
		    if (p == NULL)
			goto out;
		    while (numnames--) {
			p = smb_fdata(p, "Name=[n2]\t#", maxbuf, 0);
			if (p == NULL)
			    goto out;
			TCHECK(*p);
			if (p[0] & 0x80)
			    printf("<GROUP> ");
			switch (p[0] & 0x60) {
			case 0x00: printf("B "); break;
			case 0x20: printf("P "); break;
			case 0x40: printf("M "); break;
			case 0x60: printf("_ "); break;
			}
			if (p[0] & 0x10)
			    printf("<DEREGISTERING> ");
			if (p[0] & 0x08)
			    printf("<CONFLICT> ");
			if (p[0] & 0x04)
			    printf("<ACTIVE> ");
			if (p[0] & 0x02)
			    printf("<PERMANENT> ");
			printf("\n");
			p += 2;
		    }
		} else {
		    print_data(p, min(rdlen, length - (p - data)));
		    p += rdlen;
		}
	    }
	}
    }

    if (p < maxbuf)
	smb_fdata(p, "AdditionalData:\n", maxbuf, 0);

out:
    printf("\n");
    fflush(stdout);
    return;
trunc:
    printf("[|SMB]");
    return;
}

/*
 * Print an SMB-over-TCP packet received across tcp on port 445
 */
void
smb_tcp_print (const u_char * data, int length)
{
    int caplen;
    u_int smb_len;
    const u_char *maxbuf;

    if (length < 4)
	goto trunc;
    if (snapend < data)
	goto trunc;
    caplen = snapend - data;
    if (caplen < 4)
	goto trunc;
    maxbuf = data + caplen;
    smb_len = EXTRACT_24BITS(data + 1);
    length -= 4;
    caplen -= 4;

    startbuf = data;
    data += 4;

    if (smb_len >= 4 && caplen >= 4 && memcmp(data,"\377SMB",4) == 0) {
	if ((int)smb_len > caplen) {
	    if ((int)smb_len > length)
		printf("WARNING: Packet is continued in later TCP segments\n");
	    else
		printf("WARNING: Short packet. Try increasing the snap length by %d\n",
		    smb_len - caplen);
	}
	print_smb(data, maxbuf > data + smb_len ? data + smb_len : maxbuf);
    } else
	printf("SMB-over-TCP packet:(raw data or continuation?)\n");
    return;
trunc:
    printf("[|SMB]");
    return;
}

/*
 * print a NBT packet received across udp on port 138
 */
void
nbt_udp138_print(const u_char *data, int length)
{
    const u_char *maxbuf = data + length;

    if (maxbuf > snapend)
	maxbuf = snapend;
    if (maxbuf <= data)
	return;
    startbuf = data;

    if (vflag < 2) {
	printf("NBT UDP PACKET(138)");
	return;
    }

    data = smb_fdata(data,
	"\n>>> NBT UDP PACKET(138) Res=[rw] ID=[rw] IP=[b.b.b.b] Port=[rd] Length=[rd] Res2=[rw]\nSourceName=[n1]\nDestName=[n1]\n#",
	maxbuf, 0);

    if (data != NULL) {
	/* If there isn't enough data for "\377SMB", don't check for it. */
	if (&data[3] >= maxbuf)
	    goto out;

	if (memcmp(data, "\377SMB",4) == 0)
	    print_smb(data, maxbuf);
    }
out:
    printf("\n");
    fflush(stdout);
}


/*
   print netbeui frames
*/
struct nbf_strings {
	const char	*name;
	const char	*nonverbose;
	const char	*verbose;
} nbf_strings[0x20] = {
	{ "Add Group Name Query", ", [P23]Name to add=[n2]#",
	  "[P5]ResponseCorrelator=[w]\n[P16]Name to add=[n2]\n" },
	{ "Add Name Query", ", [P23]Name to add=[n2]#",
	  "[P5]ResponseCorrelator=[w]\n[P16]Name to add=[n2]\n" },
	{ "Name In Conflict", NULL, NULL },
	{ "Status Query", NULL, NULL },
	{ NULL, NULL, NULL },	/* not used */
	{ NULL, NULL, NULL },	/* not used */
	{ NULL, NULL, NULL },	/* not used */
	{ "Terminate Trace", NULL, NULL },
	{ "Datagram", NULL,
	  "[P7]Destination=[n2]\nSource=[n2]\n" },
	{ "Broadcast Datagram", NULL,
	  "[P7]Destination=[n2]\nSource=[n2]\n" },
	{ "Name Query", ", [P7]Name=[n2]#",
	  "[P1]SessionNumber=[B]\nNameType=[B][P2]\nResponseCorrelator=[w]\nName=[n2]\nName of sender=[n2]\n" },
	{ NULL, NULL, NULL },	/* not used */
	{ NULL, NULL, NULL },	/* not used */
	{ "Add Name Response", ", [P1]GroupName=[w] [P4]Destination=[n2] Source=[n2]#",
	  "AddNameInProcess=[B]\nGroupName=[w]\nTransmitCorrelator=[w][P2]\nDestination=[n2]\nSource=[n2]\n" },
	{ "Name Recognized", NULL,
	  "[P1]Data2=[w]\nTransmitCorrelator=[w]\nResponseCorelator=[w]\nDestination=[n2]\nSource=[n2]\n" },
	{ "Status Response", NULL, NULL },
	{ NULL, NULL, NULL },	/* not used */
	{ NULL, NULL, NULL },	/* not used */
	{ NULL, NULL, NULL },	/* not used */
	{ "Terminate Trace", NULL, NULL },
	{ "Data Ack", NULL,
	  "[P3]TransmitCorrelator=[w][P2]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n" },
	{ "Data First/Middle", NULL,
	  "Flags=[{RECEIVE_CONTINUE|NO_ACK||PIGGYBACK_ACK_INCLUDED|}]\nResyncIndicator=[w][P2]\nResponseCorelator=[w]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n" },
	{ "Data Only/Last", NULL,
	  "Flags=[{|NO_ACK|PIGGYBACK_ACK_ALLOWED|PIGGYBACK_ACK_INCLUDED|}]\nResyncIndicator=[w][P2]\nResponseCorelator=[w]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n" },
	{ "Session Confirm", NULL,
	  "Data1=[B]\nData2=[w]\nTransmitCorrelator=[w]\nResponseCorelator=[w]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n" },
	{ "Session End", NULL,
	  "[P1]Data2=[w][P4]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n" },
	{ "Session Initialize", NULL,
	  "Data1=[B]\nData2=[w]\nTransmitCorrelator=[w]\nResponseCorelator=[w]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n" },
	{ "No Receive", NULL,
	  "Flags=[{|SEND_NO_ACK}]\nDataBytesAccepted=[b][P4]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n" },
	{ "Receive Outstanding", NULL,
	  "[P1]DataBytesAccepted=[b][P4]\nRemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n" },
	{ "Receive Continue", NULL,
	  "[P2]TransmitCorrelator=[w]\n[P2]RemoteSessionNumber=[B]\nLocalSessionNumber=[B]\n" },
	{ NULL, NULL, NULL },	/* not used */
	{ NULL, NULL, NULL },	/* not used */
	{ "Session Alive", NULL, NULL }
};

void
netbeui_print(u_short control, const u_char *data, int length)
{
    const u_char *maxbuf = data + length;
    int len;
    int command;
    const u_char *data2;
    int is_truncated = 0;

    if (maxbuf > snapend)
	maxbuf = snapend;
    TCHECK(data[4]);
    len = EXTRACT_LE_16BITS(data);
    command = data[4];
    data2 = data + len;
    if (data2 >= maxbuf) {
	data2 = maxbuf;
	is_truncated = 1;
    }

    startbuf = data;

    if (vflag < 2) {
	printf("NBF Packet: ");
	data = smb_fdata(data, "[P5]#", maxbuf, 0);
    } else {
	printf("\n>>> NBF Packet\nType=0x%X ", control);
	data = smb_fdata(data, "Length=[d] Signature=[w] Command=[B]\n#", maxbuf, 0);
    }
    if (data == NULL)
	goto out;

    if (command > 0x1f || nbf_strings[command].name == NULL) {
	if (vflag < 2)
	    data = smb_fdata(data, "Unknown NBF Command#", data2, 0);
	else
	    data = smb_fdata(data, "Unknown NBF Command\n", data2, 0);
    } else {
	if (vflag < 2) {
	    printf("%s", nbf_strings[command].name);
	    if (nbf_strings[command].nonverbose != NULL)
		data = smb_fdata(data, nbf_strings[command].nonverbose, data2, 0);
	} else {
	    printf("%s:\n", nbf_strings[command].name);
	    if (nbf_strings[command].verbose != NULL)
		data = smb_fdata(data, nbf_strings[command].verbose, data2, 0);
	    else
		printf("\n");
	}
    }

    if (vflag < 2)
	return;

    if (data == NULL)
	goto out;

    if (is_truncated) {
	/* data2 was past the end of the buffer */
	goto out;
    }

    /* If this isn't a command that would contain an SMB message, quit. */
    if (command != 0x08 && command != 0x09 && command != 0x15 &&
        command != 0x16)
	goto out;

    /* If there isn't enough data for "\377SMB", don't look for it. */
    if (&data2[3] >= maxbuf)
	goto out;

    if (memcmp(data2, "\377SMB",4) == 0)
	print_smb(data2, maxbuf);
    else {
	int i;
	for (i = 0; i < 128; i++) {
	    if (&data2[i + 3] >= maxbuf)
		break;
	    if (memcmp(&data2[i], "\377SMB", 4) == 0) {
		printf("found SMB packet at %d\n", i);
		print_smb(&data2[i], maxbuf);
		break;
	    }
	}
    }

out:
    printf("\n");
    return;
trunc:
    printf("[|SMB]");
    return;
}


/*
 * print IPX-Netbios frames
 */
void
ipx_netbios_print(const u_char *data, u_int length)
{
    /*
     * this is a hack till I work out how to parse the rest of the
     * NetBIOS-over-IPX stuff
     */
    int i;
    const u_char *maxbuf;

    maxbuf = data + length;
    /* Don't go past the end of the captured data in the packet. */
    if (maxbuf > snapend)
	maxbuf = snapend;
    startbuf = data;
    for (i = 0; i < 128; i++) {
	if (&data[i + 4] > maxbuf)
	    break;
	if (memcmp(&data[i], "\377SMB", 4) == 0) {
	    smb_fdata(data, "\n>>> IPX transport ", &data[i], 0);
	    print_smb(&data[i], maxbuf);
	    printf("\n");
	    fflush(stdout);
	    break;
	}
    }
    if (i == 128)
	smb_fdata(data, "\n>>> Unknown IPX ", maxbuf, 0);
}