Ethereal-dev: Re: [Ethereal-dev] A question in for NBSS dissector

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 15 Apr 2003 00:50:08 -0700
On Tue, Apr 15, 2003 at 12:12:08AM -0700, Huagang Xie wrote:
> in packet-nbns.c
> 
> 
>         if (pinfo->match_port == TCP_PORT_CIFS) {
>                 /*
>                  * Windows 2000 CIFS clients can dispense completely
>                  * with the NETBIOS encapsulation and directly use CIFS
>                  * over TCP. As would be expected, the framing is
>                  * identical, except that the length is 24 bits instead
>                  * of 17. The only message types used are
>                  * SESSION_MESSAGE and SESSION_KEEP_ALIVE.
>                  */
>                 is_cifs = TRUE;
>         } else {
>                 is_cifs = FALSE;
>         }
> 

> The TCP_PORT_CIFS here is 445, but even if on port 445, the SMB/CIFS
> is still over NETBIOS-SS.

That depends on whether port 445 is the client or server port.

If it's the server port, that's *NOT* NetBIOS Session Service, that's
CIFS running directly over TCP.  See Appendix B of the CIFS Technical
Reference:

	http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf

which says

	10. Appendix B -- TCP transport

	     When operating CIFS over TCP, connections are established
	     to TCP port 445, and each message is framed as follows:

	                     1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
	 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|      ZERO     |                    LENGTH                     |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                                                               |
	/               SMB (Packet Type Dependent)                     /
	|                                                               |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

	     Each CIFS request starts with a 4 byte field encoded as
	     above: a byte of zero, followed by three bytes of length;
	     after that follows the body of the request. 

> Since this affect the "netbios-length" checking later,

...which is exactly what it's supposed to do.

> 
>               /*
>                  * We have enough data for an NBSS header.
>                  * Get the flags and length of the message,
>                  * and see if they're sane.
>                  */
>                 if (is_cifs) {
>                         flags = 0;
>                         length = tvb_get_ntoh24(tvb, offset + 1);

That fetches the 24-bit length field from the header described above,
which is what's correct if the traffic is CIFS-over-TCP.

>                 } else {
>                         flags = tvb_get_guint8(tvb, offset + 1);
>                         length = tvb_get_ntohs(tvb, offset + 2);
>                         if (flags & NBSS_FLAGS_E)
>                                 length += 65536;

That fetches the flags and length fields from the header in RFC 1002:

   All session packets are of the following general structure:

                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      TYPE     |     FLAGS     |            LENGTH             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   /               TRAILER (Packet Type Dependent)                 /
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

> I will suggest to remove this (is_cifs) checking,

Removing that checking would make Ethereal incorrectly dissect some
traffic.

There are some captures where SMB/CIFS is running atop the NetBIOS
Session Service, and there are other captures where SMB/CIFS is running
atop TCP with the Appendix B encapsulation.  Therefore, Ethereal needs
code to support both of them, so there needs to be an "is_cifs" Boolean
that's checked.

The only problem is if you have the client using port 139 or 445 when
the server is using the opposite port number; in that case, as 139 <
445, the TCP dissector will first try to match 139 and then, if that
doesn't match anything, it'll match 445.  139 will match NetBIOS Session
Service, so if you have a client using port 139 to talk to a
CIFS-over-TCP server on port 445, the traffic will be dissected as
NetBIOS-over-TCP, not CIFS-over-TCP.

Attachment: pgpz9SzPgseC2.pgp
Description: PGP signature