From 95569ce784a1f025ddb542b9be8c3a8f1a79894b Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Mar 16 2010 14:50:34 +0000 Subject: Add patches for NFSv4.0 callback channel decode and decoders for more SMB FIND_FILE infolevels --- diff --git a/wireshark-1.2.6-nfs40-backchnl-decode.patch b/wireshark-1.2.6-nfs40-backchnl-decode.patch new file mode 100644 index 0000000..ceaab38 --- /dev/null +++ b/wireshark-1.2.6-nfs40-backchnl-decode.patch @@ -0,0 +1,155 @@ +From 531ee0b54e7406992f9eefc60fbbbd4534116f99 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 9 Mar 2010 12:25:50 -0500 +Subject: [PATCH] Dynamically register callback dissector based on the NFSv4.0 SETCLIENTID + args (the equivalent of what had already been done for NFSv4.1 + CREATE_SESSION). + +Fix CB_LAYOUTRECALL dissecting: the recall type wasn't getting parsed, +so some of the layout recall info wasn't being displayed. + +Parse CB_SEQUENCE's referring call lists. +--- + epan/dissectors/packet-nfs.c | 68 +++++++++++++++++++++++++++++++++++------ + 1 files changed, 58 insertions(+), 10 deletions(-) + +diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c +index 82ebfe4..fa475b7 100644 +--- a/epan/dissectors/packet-nfs.c ++++ b/epan/dissectors/packet-nfs.c +@@ -7723,7 +7723,10 @@ dissect_nfs_cb_client4(tvbuff_t *tvb, int offset, proto_tree *tree) + { + proto_tree *cb_location = NULL; + proto_item *fitem = NULL; ++ int cbprog; + ++ cbprog = tvb_get_ntohl(tvb, offset); ++ reg_callback(cbprog); + offset = dissect_rpc_uint32(tvb, tree, hf_nfs_cb_program, offset); + fitem = proto_tree_add_text(tree, tvb, offset, 0, "cb_location"); + +@@ -9646,6 +9649,8 @@ static gint ett_nfs_cb_wantscancelled = -1; + static gint ett_nfs_cb_notifylock = -1; + static gint ett_nfs_cb_notifydeviceid = -1; + static gint ett_nfs_cb_notify = -1; ++static gint ett_nfs_cb_reflists = -1; ++static gint ett_nfs_cb_refcalls = -1; + static gint ett_nfs_cb_illegal = -1; + + static const value_string names_nfs_cb_operation[] = { +@@ -9683,16 +9688,56 @@ gint *nfs_cb_operation_ett[] = + }; + + static int ++dissect_nfs_cb_referring_calls(tvbuff_t *tvb, int offset, proto_tree *tree) ++{ ++ guint num_reflists, num_refcalls, i, j; ++ proto_item *rl_item, *rc_item; ++ proto_tree *rl_tree = NULL, *rc_tree = NULL; ++ ++ num_reflists = tvb_get_ntohl(tvb, offset); ++ rl_item = proto_tree_add_text(tree, tvb, offset, 4, ++ "referring call lists (count: %u)", num_reflists); ++ offset += 4; ++ if (num_reflists == 0) ++ return offset; ++ ++ rl_tree = proto_item_add_subtree(rl_item, ett_nfs_cb_reflists); ++ ++ for (i = 0; i < num_reflists; i++) { ++ offset = dissect_rpc_opaque_data(tvb, offset, rl_tree, NULL, ++ hf_nfs_sessionid4, TRUE, 16, FALSE, NULL, NULL); ++ num_refcalls = tvb_get_ntohl(tvb, offset); ++ rc_item = proto_tree_add_text(rl_tree, tvb, offset, 4, ++ "referring calls (count: %u)", num_refcalls); ++ offset += 4; ++ for (j = 0; j < num_refcalls; j++) { ++ rc_tree = proto_item_add_subtree(rc_item, ett_nfs_cb_refcalls); ++ offset = dissect_rpc_uint32(tvb, rc_tree, hf_nfs_seqid4, offset); ++ offset = dissect_rpc_uint32(tvb, rc_tree, hf_nfs_slotid4, offset); ++ } ++ } ++ ++ return offset; ++} ++ ++static int + dissect_nfs_cb_layoutrecall(tvbuff_t *tvb, int offset, proto_tree *tree, packet_info *pinfo) + { +- guint recalltype = hf_nfs_layouttype4; ++ guint recall_type; + +- if (recalltype == 1) { /* RETURN_FILE */ ++ offset = dissect_rpc_uint32(tvb, tree, hf_nfs_layouttype4, offset); ++ offset = dissect_rpc_uint32(tvb, tree, hf_nfs_iomode4, offset); ++ offset = dissect_rpc_bool(tvb, tree, hf_nfs_cb_clorachanged, offset); ++ ++ recall_type = tvb_get_ntohl(tvb, offset); ++ offset = dissect_rpc_uint32(tvb, tree, hf_nfs_cb_layoutrecall_type, offset); ++ ++ if (recall_type == 1) { /* RECALL_FILE */ + offset = dissect_nfs_fh4(tvb, offset, pinfo, tree, "filehandle"); + offset = dissect_rpc_uint64(tvb, tree, hf_nfs_offset4, offset); + offset = dissect_rpc_uint64(tvb, tree, hf_nfs_length4, offset); + offset = dissect_nfs_stateid4(tvb, offset, tree); +- } else if (recalltype == 2) { /* RETURN_FSID */ ++ } else if (recall_type == 2) { /* RECALL_FSID */ + offset = dissect_nfs_fsid4(tvb, offset, tree, "fsid"); + } + +@@ -9748,9 +9793,6 @@ dissect_nfs_cb_argop(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree * + break; + case NFS4_OP_CB_GETATTR: + case NFS4_OP_CB_LAYOUTRECALL: +- offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_layouttype4, offset); +- offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_iomode4, offset); +- offset = dissect_rpc_bool(tvb, newftree, hf_nfs_cb_clorachanged, offset); + offset = dissect_nfs_cb_layoutrecall(tvb, offset, newftree, pinfo); + break; + case NFS4_OP_CB_NOTIFY: +@@ -9766,8 +9808,7 @@ dissect_nfs_cb_argop(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree * + offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_slotid4, offset); + offset = dissect_rpc_uint32(tvb, newftree, hf_nfs_slotid4, offset); + offset = dissect_rpc_bool(tvb, newftree, hf_nfs_cachethis4, offset); +- /* skip refs -- assume 0 */ +- offset = offset + 4; ++ offset = dissect_nfs_cb_referring_calls(tvb, offset, newftree); + break; + case NFS4_OP_CB_WANTS_CANCELLED: + case NFS4_OP_CB_NOTIFY_LOCK: +@@ -9920,8 +9961,13 @@ void reg_callback(int cbprog) + /* Register the protocol as RPC */ + rpc_init_prog(proto_nfs, cbprog, ett_nfs); + +- /* Register the procedure tables */ ++ /* ++ * Register the procedure tables. The version should be 4, ++ * but some Linux kernels set this field to 1. "Temporarily", ++ * accomodate these servers. ++ */ + rpc_init_proc_table(cbprog, 1, nfs_cb_proc, hf_nfs_cb_procedure); ++ rpc_init_proc_table(cbprog, 4, nfs_cb_proc, hf_nfs_cb_procedure); + } + + void +@@ -11274,7 +11320,7 @@ proto_register_nfs(void) + "CREATE_SESSION flags", "nfs.create_session_flags", FT_UINT32, BASE_HEX, + NULL, 0, NULL, HFILL }}, + { &hf_nfs_cachethis4, { +- "Cache this?", "nfs.cachethis4", FT_BOOLEAN, BASE_NONE, ++ "cache this?", "nfs.cachethis4", FT_BOOLEAN, BASE_NONE, + TFS(&tfs_yes_no), 0, NULL, HFILL }}, + + { &hf_nfs_cb_procedure, { +@@ -11479,6 +11525,8 @@ proto_register_nfs(void) + &ett_nfs_cb_notifylock, + &ett_nfs_cb_notifydeviceid, + &ett_nfs_cb_notify, ++ &ett_nfs_cb_reflists, ++ &ett_nfs_cb_refcalls, + &ett_nfs_cb_illegal, + }; + module_t *nfs_module; +-- +1.6.6.1 + diff --git a/wireshark-1.2.6-smb-find-full-dir-info.patch b/wireshark-1.2.6-smb-find-full-dir-info.patch new file mode 100644 index 0000000..4099179 --- /dev/null +++ b/wireshark-1.2.6-smb-find-full-dir-info.patch @@ -0,0 +1,308 @@ +From 2856caa1cf3307208864af4c59da8ecb07bc3153 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 8 Mar 2010 19:43:07 -0500 +Subject: [PATCH] packet-smb: add more FIND_FILE dissectors + +--- + epan/dissectors/packet-smb.c | 271 ++++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 271 insertions(+), 0 deletions(-) + +diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c +index 727b290..c9a90b9 100644 +--- a/epan/dissectors/packet-smb.c ++++ b/epan/dissectors/packet-smb.c +@@ -10051,6 +10051,8 @@ static const value_string ff2_il_vals[] = { + { 0x0102, "Find File Full Directory Info"}, + { 0x0103, "Find File Names Info"}, + { 0x0104, "Find File Both Directory Info"}, ++ { 0x0105, "Find File Full Directory Info"}, ++ { 0x0106, "Find File Id Both Directory Info"}, + { 0x0202, "Find File UNIX"}, + {0, NULL} + }; +@@ -13900,6 +13902,267 @@ dissect_4_3_4_6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, + } + + static int ++dissect_4_3_4_6full(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, ++ int offset, guint16 *bcp, gboolean *trunc) ++{ ++ int fn_len; ++ const char *fn; ++ int old_offset = offset; ++ proto_item *item = NULL; ++ proto_tree *tree = NULL; ++ smb_info_t *si; ++ guint32 neo; ++ int padcnt; ++ ++ si = (smb_info_t *)pinfo->private_data; ++ DISSECTOR_ASSERT(si); ++ ++ if(parent_tree){ ++ tvb_ensure_bytes_exist(tvb, offset, *bcp); ++ item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s", ++ val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)")); ++ tree = proto_item_add_subtree(item, ett_smb_ff2_data); ++ } ++ ++ /* ++ * XXX - I have not seen any of these that contain a resume ++ * key, even though some of the requests had the "return resume ++ * key" flag set. ++ */ ++ ++ /* next entry offset */ ++ CHECK_BYTE_COUNT_SUBR(4); ++ neo = tvb_get_letohl(tvb, offset); ++ proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo); ++ COUNT_BYTES_SUBR(4); ++ ++ /* file index */ ++ CHECK_BYTE_COUNT_SUBR(4); ++ proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE); ++ COUNT_BYTES_SUBR(4); ++ ++ /* dissect standard 8-byte timestamps */ ++ offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc); ++ if (*trunc) { ++ return offset; ++ } ++ ++ /* end of file */ ++ CHECK_BYTE_COUNT_SUBR(8); ++ proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE); ++ COUNT_BYTES_SUBR(8); ++ ++ /* allocation size */ ++ CHECK_BYTE_COUNT_SUBR(8); ++ proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE); ++ COUNT_BYTES_SUBR(8); ++ ++ /* Extended File Attributes */ ++ CHECK_BYTE_COUNT_SUBR(4); ++ offset = dissect_file_ext_attr(tvb, tree, offset); ++ *bcp -= 4; ++ ++ /* file name len */ ++ CHECK_BYTE_COUNT_SUBR(4); ++ fn_len = tvb_get_letohl(tvb, offset); ++ proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len); ++ COUNT_BYTES_SUBR(4); ++ ++ /* ++ * EA length. ++ * ++ * XXX - in one captures, this has the topmost bit set, and the ++ * rest of the bits have the value 7. Is the topmost bit being ++ * set some indication that the value *isn't* the length of ++ * the EAs? ++ */ ++ CHECK_BYTE_COUNT_SUBR(4); ++ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE); ++ COUNT_BYTES_SUBR(4); ++ ++ /* skip 4 bytes */ ++ COUNT_BYTES_SUBR(4); ++ ++ CHECK_BYTE_COUNT_SUBR(8); ++ proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE); ++ COUNT_BYTES_SUBR(8); ++ ++ /* file name */ ++ fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp); ++ CHECK_STRING_SUBR(fn); ++ proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len, ++ fn); ++ COUNT_BYTES_SUBR(fn_len); ++ ++ if (check_col(pinfo->cinfo, COL_INFO)) { ++ col_append_fstr(pinfo->cinfo, COL_INFO, " %s", ++ format_text(fn, strlen(fn))); ++ } ++ ++ /* skip to next structure */ ++ if(neo){ ++ padcnt = (old_offset + neo) - offset; ++ if (padcnt < 0) { ++ /* ++ * XXX - this is bogus; flag it? ++ */ ++ padcnt = 0; ++ } ++ if (padcnt != 0) { ++ CHECK_BYTE_COUNT_SUBR(padcnt); ++ COUNT_BYTES_SUBR(padcnt); ++ } ++ } ++ ++ proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn))); ++ proto_item_set_len(item, offset-old_offset); ++ ++ *trunc = FALSE; ++ return offset; ++} ++ ++static int ++dissect_4_3_4_6_id_both(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, ++ int offset, guint16 *bcp, gboolean *trunc) ++{ ++ int fn_len, sfn_len; ++ const char *fn, *sfn; ++ int old_offset = offset; ++ proto_item *item = NULL; ++ proto_tree *tree = NULL; ++ smb_info_t *si; ++ guint32 neo; ++ int padcnt; ++ ++ si = (smb_info_t *)pinfo->private_data; ++ DISSECTOR_ASSERT(si); ++ ++ if(parent_tree){ ++ tvb_ensure_bytes_exist(tvb, offset, *bcp); ++ item = proto_tree_add_text(parent_tree, tvb, offset, *bcp, "%s", ++ val_to_str(si->info_level, ff2_il_vals, "Unknown (0x%02x)")); ++ tree = proto_item_add_subtree(item, ett_smb_ff2_data); ++ } ++ ++ /* ++ * XXX - I have not seen any of these that contain a resume ++ * key, even though some of the requests had the "return resume ++ * key" flag set. ++ */ ++ ++ /* next entry offset */ ++ CHECK_BYTE_COUNT_SUBR(4); ++ neo = tvb_get_letohl(tvb, offset); ++ proto_tree_add_uint(tree, hf_smb_next_entry_offset, tvb, offset, 4, neo); ++ COUNT_BYTES_SUBR(4); ++ ++ /* file index */ ++ CHECK_BYTE_COUNT_SUBR(4); ++ proto_tree_add_item(tree, hf_smb_file_index, tvb, offset, 4, TRUE); ++ COUNT_BYTES_SUBR(4); ++ ++ /* dissect standard 8-byte timestamps */ ++ offset = dissect_smb_standard_8byte_timestamps(tvb, pinfo, tree, offset, bcp, trunc); ++ if (*trunc) { ++ return offset; ++ } ++ ++ /* end of file */ ++ CHECK_BYTE_COUNT_SUBR(8); ++ proto_tree_add_item(tree, hf_smb_end_of_file, tvb, offset, 8, TRUE); ++ COUNT_BYTES_SUBR(8); ++ ++ /* allocation size */ ++ CHECK_BYTE_COUNT_SUBR(8); ++ proto_tree_add_item(tree, hf_smb_alloc_size64, tvb, offset, 8, TRUE); ++ COUNT_BYTES_SUBR(8); ++ ++ /* Extended File Attributes */ ++ CHECK_BYTE_COUNT_SUBR(4); ++ offset = dissect_file_ext_attr(tvb, tree, offset); ++ *bcp -= 4; ++ ++ /* file name len */ ++ CHECK_BYTE_COUNT_SUBR(4); ++ fn_len = tvb_get_letohl(tvb, offset); ++ proto_tree_add_uint(tree, hf_smb_file_name_len, tvb, offset, 4, fn_len); ++ COUNT_BYTES_SUBR(4); ++ ++ /* ++ * EA length. ++ * ++ * XXX - in one captures, this has the topmost bit set, and the ++ * rest of the bits have the value 7. Is the topmost bit being ++ * set some indication that the value *isn't* the length of ++ * the EAs? ++ */ ++ CHECK_BYTE_COUNT_SUBR(4); ++ proto_tree_add_item(tree, hf_smb_ea_list_length, tvb, offset, 4, TRUE); ++ COUNT_BYTES_SUBR(4); ++ ++ /* short file name len */ ++ CHECK_BYTE_COUNT_SUBR(1); ++ sfn_len = tvb_get_guint8(tvb, offset); ++ proto_tree_add_uint(tree, hf_smb_short_file_name_len, tvb, offset, 1, sfn_len); ++ COUNT_BYTES_SUBR(1); ++ ++ /* reserved byte */ ++ CHECK_BYTE_COUNT_SUBR(1); ++ proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, TRUE); ++ COUNT_BYTES_SUBR(1); ++ ++ /* short file name - it's not always in Unicode */ ++ sfn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &sfn_len, FALSE, TRUE, bcp); ++ CHECK_STRING_SUBR(sfn); ++ proto_tree_add_string(tree, hf_smb_short_file_name, tvb, offset, 24, ++ sfn); ++ COUNT_BYTES_SUBR(24); ++ ++ /* reserved bytes */ ++ CHECK_BYTE_COUNT_SUBR(2); ++ proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 2, TRUE); ++ COUNT_BYTES_SUBR(2); ++ ++ /* file id */ ++ CHECK_BYTE_COUNT_SUBR(8); ++ proto_tree_add_item(tree, hf_smb_index_number, tvb, offset, 8, TRUE); ++ COUNT_BYTES_SUBR(8); ++ ++ /* file name */ ++ fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp); ++ CHECK_STRING_SUBR(fn); ++ proto_tree_add_string(tree, hf_smb_file_name, tvb, offset, fn_len, ++ fn); ++ COUNT_BYTES_SUBR(fn_len); ++ ++ if (check_col(pinfo->cinfo, COL_INFO)) { ++ col_append_fstr(pinfo->cinfo, COL_INFO, " %s", ++ format_text(fn, strlen(fn))); ++ } ++ ++ /* skip to next structure */ ++ if(neo){ ++ padcnt = (old_offset + neo) - offset; ++ if (padcnt < 0) { ++ /* ++ * XXX - this is bogus; flag it? ++ */ ++ padcnt = 0; ++ } ++ if (padcnt != 0) { ++ CHECK_BYTE_COUNT_SUBR(padcnt); ++ COUNT_BYTES_SUBR(padcnt); ++ } ++ } ++ ++ proto_item_append_text(item, " File: %s", format_text(fn, strlen(fn))); ++ proto_item_set_len(item, offset-old_offset); ++ ++ *trunc = FALSE; ++ return offset; ++} ++ ++static int + dissect_4_3_4_7(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, + int offset, guint16 *bcp, gboolean *trunc) + { +@@ -14129,6 +14392,14 @@ dissect_ff2_response_data(tvbuff_t * tvb, packet_info * pinfo, + offset = dissect_4_3_4_6(tvb, pinfo, tree, offset, bcp, + trunc); + break; ++ case 0x0105: /*Find File Full Directory Info*/ ++ offset = dissect_4_3_4_6full(tvb, pinfo, tree, offset, bcp, ++ trunc); ++ break; ++ case 0x0106: /*Find File Id Both Directory Info*/ ++ offset = dissect_4_3_4_6_id_both(tvb, pinfo, tree, offset, bcp, ++ trunc); ++ break; + case 0x0202: /*Find File UNIX*/ + offset = dissect_4_3_4_8(tvb, pinfo, tree, offset, bcp, + trunc); +-- +1.6.6.1 + diff --git a/wireshark.spec b/wireshark.spec index bbc186b..c68763b 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -15,7 +15,7 @@ Version: 1.2.6 %if %{svn_version} Release: 0.%{svn_version}%{?dist} %else -Release: 1%{?dist} +Release: 2%{?dist} %endif License: GPL+ Group: Applications/Internet @@ -36,6 +36,8 @@ Patch4: wireshark-1.1.2-nfs41-backchnl-decode.patch Patch5: wireshark-1.2.4-filter_null.patch Patch6: wireshark-1.2.4-enable_lua.patch Patch7: wireshark-1.2.4-disable_warning_dialog.patch +Patch8: wireshark-1.2.6-nfs40-backchnl-decode.patch +Patch9: wireshark-1.2.6-smb-find-full-dir-info.patch Url: http://www.wireshark.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -120,6 +122,8 @@ and plugins. %endif %patch7 -p1 -b .dialog +%patch8 -p1 +%patch9 -p1 %build %ifarch s390 s390x sparcv9 sparc64 @@ -319,6 +323,10 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/idl2wrs %changelog +* Tue Mar 16 2010 Jeff Layton - 1.2.6-2 +- add patch to allow decode of NFSv4.0 callback channel +- add patch to allow decode of more SMB FIND_FILE infolevels + * Fri Jan 29 2010 Radek Vokal - 1.2.6-1 - upgrade to 1.2.6 - see http://www.wireshark.org/docs/relnotes/wireshark-1.2.6.html