Ethereal-dev: Re: [Ethereal-dev] A question in for NBSS dissector
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 15 Apr 2003 00:50:08 -0700
On Tue, Apr 15, 2003 at 12:12:08AM -0700, Huagang Xie wrote: > in packet-nbns.c > > > if (pinfo->match_port == TCP_PORT_CIFS) { > /* > * Windows 2000 CIFS clients can dispense completely > * with the NETBIOS encapsulation and directly use CIFS > * over TCP. As would be expected, the framing is > * identical, except that the length is 24 bits instead > * of 17. The only message types used are > * SESSION_MESSAGE and SESSION_KEEP_ALIVE. > */ > is_cifs = TRUE; > } else { > is_cifs = FALSE; > } > > The TCP_PORT_CIFS here is 445, but even if on port 445, the SMB/CIFS > is still over NETBIOS-SS. That depends on whether port 445 is the client or server port. If it's the server port, that's *NOT* NetBIOS Session Service, that's CIFS running directly over TCP. See Appendix B of the CIFS Technical Reference: http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf which says 10. Appendix B -- TCP transport When operating CIFS over TCP, connections are established to TCP port 445, and each message is framed as follows: 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ZERO | LENGTH | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / SMB (Packet Type Dependent) / | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Each CIFS request starts with a 4 byte field encoded as above: a byte of zero, followed by three bytes of length; after that follows the body of the request. > Since this affect the "netbios-length" checking later, ...which is exactly what it's supposed to do. > > /* > * We have enough data for an NBSS header. > * Get the flags and length of the message, > * and see if they're sane. > */ > if (is_cifs) { > flags = 0; > length = tvb_get_ntoh24(tvb, offset + 1); That fetches the 24-bit length field from the header described above, which is what's correct if the traffic is CIFS-over-TCP. > } else { > flags = tvb_get_guint8(tvb, offset + 1); > length = tvb_get_ntohs(tvb, offset + 2); > if (flags & NBSS_FLAGS_E) > length += 65536; That fetches the flags and length fields from the header in RFC 1002: All session packets are of the following general structure: 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TYPE | FLAGS | LENGTH | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / TRAILER (Packet Type Dependent) / | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > I will suggest to remove this (is_cifs) checking, Removing that checking would make Ethereal incorrectly dissect some traffic. There are some captures where SMB/CIFS is running atop the NetBIOS Session Service, and there are other captures where SMB/CIFS is running atop TCP with the Appendix B encapsulation. Therefore, Ethereal needs code to support both of them, so there needs to be an "is_cifs" Boolean that's checked. The only problem is if you have the client using port 139 or 445 when the server is using the opposite port number; in that case, as 139 < 445, the TCP dissector will first try to match 139 and then, if that doesn't match anything, it'll match 445. 139 will match NetBIOS Session Service, so if you have a client using port 139 to talk to a CIFS-over-TCP server on port 445, the traffic will be dissected as NetBIOS-over-TCP, not CIFS-over-TCP.
Attachment:
pgpz9SzPgseC2.pgp
Description: PGP signature
- References:
- [Ethereal-dev] [patch] DSI more getserverinfo decoding
- From: didier
- Re: [Ethereal-dev] [patch] DSI more getserverinfo decoding
- From: Guy Harris
- [Ethereal-dev] A question in for NBSS dissector
- From: Huagang Xie
- [Ethereal-dev] [patch] DSI more getserverinfo decoding
- Prev by Date: [Ethereal-dev] A question in for NBSS dissector
- Next by Date: Re: [Ethereal-dev] Re: TCP retransmission in BGP dissector
- Previous by thread: [Ethereal-dev] A question in for NBSS dissector
- Next by thread: [Ethereal-dev] Crash when using "Per packet information"
- Index(es):