Ethereal-dev: [Ethereal-dev] Incorrect parsing of: SMB -> Trans2 -> Query File Information (Qu

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Dave Aitel <dave@xxxxxxxxxxxxxxx>
Date: Wed, 27 Oct 2004 08:26:40 -0400
Quck note, latest stable Ethereal does not properly dissect SMB -> Trans2 -> Query File Information (Query All Information) requests. You can generate these requests with Samba by simply downloading a file. In particular, once it reaches the Allocation Size it appears to have the wrong values from then onwards. I can provide a capture file. 

Test platforms:
ethereal-0.10.7
FC2 default samba client
Windows 2000 target (connect to C$ and get a file)
I'm not completely sure of the solution, but following is a guess/kludge of the proper dissection (from CANVAS) 

def parse_qfi(data):
   ret={}
   ret["EA Error Offset"]=istr2halfword(data[:2])
   #padding eats 2 bytes
   ret["Created"]=data[4:12]
   ret["Last Access"]=data[12:20]
   ret["Last Write"]=data[20:28]
   ret["Change"]=data[28:36]
   ret["File Attributes"]=istr2int(data[36:42])
for a in attributes_dict.keys(): 
       if a & ret["File Attributes"]:
           ret["Attributes"]+=attributes_dict[a]
   #4 bytes of 0's (not understood)
   ret["Allocation Size"]=istr2int(data[46:50]) #not correct in ethereal...
   #4 bytes of 0's (not understood)
   ret["End of File"]=istr2int(data[58:62])

If this is already known, my apologies for the spam.

Thanks,
Dave Aitel
Immunity, Inc.