[Tim Potter <tpot@xxxxxxxxx>]

On Fri, Jan 25, 2002 at 01:47:57PM +1100, Tim Potter wrote:

> Hi everyone.  Here is a small patch to do with NT SID dissection:

Doh - this time I will actually attach it.


Tim.

Index: packet-smb-common.h
===================================================================
RCS file: /cvsroot/ethereal/packet-smb-common.h,v
retrieving revision 1.5
diff -u -r1.5 packet-smb-common.h
--- packet-smb-common.h	2002/01/21 07:36:42	1.5
+++ packet-smb-common.h	2002/01/25 02:30:49
@@ -58,4 +58,6 @@
 
 int display_ms_string(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, int hf_index);
 
+int dissect_nt_sid(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name);
+
 #endif
Index: packet-smb-logon.c
===================================================================
RCS file: /cvsroot/ethereal/packet-smb-logon.c,v
retrieving revision 1.21
diff -u -r1.21 packet-smb-logon.c
--- packet-smb-logon.c	2001/12/10 00:25:34	1.21
+++ packet-smb-logon.c	2002/01/25 02:30:50
@@ -534,23 +534,18 @@
 	offset += 4;
 
 	if (domain_sid_size != 0) {
+
+		/* Align to four byte boundary */
+
+		offset += 4 - (offset % 4);
+
 		/* Domain SID */
-		proto_tree_add_item(tree, hf_domain_sid, tvb, offset,
-		    domain_sid_size, TRUE);
-		offset += domain_sid_size;
 
-		/* XXX - at least one packet appears to put the NT version on
-		   a 4-byte boundary, with padding after the domain SID, at
-		   least according to Network Monitor.
+		offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Domain");
 
-		   However, another frame, with a zero-length domain SID,
-		   doesn't do any padding, and other packets don't appear
-		   to put the NT version of a 4-byte boundary, so maybe
-		   the padding comes *before* the domain SID, and NetMon
-		   is just confused?  (NetMon has been known to misdissect
-		   SMB packets, even though, err, umm, NetMon comes from
-		   the people who are adding all this stuff to SMB....) */
-		offset = ((offset + 3)/4)*4;
+//		proto_tree_add_item(tree, hf_domain_sid, tvb, offset,
+//		    domain_sid_size, TRUE);
+//		offset += domain_sid_size;
 	}
  	
 	/* NT version */
Index: packet-smb.c
===================================================================
RCS file: /cvsroot/ethereal/packet-smb.c,v
retrieving revision 1.197
diff -u -r1.197 packet-smb.c
--- packet-smb.c	2002/01/21 07:36:42	1.197
+++ packet-smb.c	2002/01/25 02:30:53
@@ -6318,7 +6318,7 @@
 	return offset;
 }
 
-static int
+int
 dissect_nt_sid(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, char *name)
 {
 	proto_item *item = NULL;
@@ -6351,26 +6351,33 @@
 	     a new FT_xxx thingie? SMB is quite common!*/
 	  /* identifier authorities */
 	  strp=str;
-	  *strp=0;
+	  strcpy(strp, "S-1-");
+
+	  proto_tree_add_text(tree, tvb, offset, 6, "Authorities");
+
 	  for(i=0;i<6;i++){
-	    sprintf(strp,"%s%d-",strp,tvb_get_guint8(tvb, offset));
-	    offset++;
+		  guint8 auth = tvb_get_guint8(tvb, offset);
+
+		  if (auth > 0)
+			  sprintf(strp,"%s%d-",strp, auth);
+		  offset++;
 	  }
+
+	  proto_tree_add_text(tree, tvb, offset, num_auth * 4, "Sub-authorities");
+
 	  /* sub authorities */
 	  for(i=0;i<num_auth;i++){
 	    /* XXX should not be letohl but native byteorder according to
 	       samba header files. considering that all non-x86 NT ports
 	       are dead we can (?) assume that non le byte encodings
 	       will be "uncommon"?*/
-	    sprintf(strp,"%s%d-",strp,tvb_get_letohl(tvb, offset));
-	    offset+=4;
+		  sprintf(strp,"%s%d-",strp, tvb_get_letohl(tvb, offset));
+		  offset+=4;
 	  }
 	  /* strip trailing '-'*/
 	  str[strlen(str)-1]=0;
 
-	  proto_tree_add_text(tree, tvb, offset-6-num_auth*4, 6+num_auth*4, "SID: %s", str);
-	  proto_item_append_text(item, ": %s", str);
-  
+	  proto_item_append_text(item, ": %s", str);  
 	}
 
 	proto_item_set_len(item, offset-old_offset);