10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
5*7280Sblu * Common Development and Distribution License (the "License").
6*7280Sblu * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
22*7280Sblu * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23*7280Sblu * Use is subject to license terms.
240Sstevel@tonic-gate */
250Sstevel@tonic-gate
260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI"
270Sstevel@tonic-gate
280Sstevel@tonic-gate /*
290Sstevel@tonic-gate * References used throughout this code:
300Sstevel@tonic-gate *
310Sstevel@tonic-gate * [RFC1001] : PROTOCOL STANDARD FOR A NetBIOS SERVICE
320Sstevel@tonic-gate * ON A TCP/UDP TRANSPORT:
330Sstevel@tonic-gate * CONCEPTS AND METHODS
340Sstevel@tonic-gate * NetBIOS Working Group, March 1987
350Sstevel@tonic-gate *
360Sstevel@tonic-gate * [RFC1002] : PROTOCOL STANDARD FOR A NetBIOS SERVICE
370Sstevel@tonic-gate * ON A TCP/UDP TRANSPORT:
380Sstevel@tonic-gate * DETAILED SPECIFICATIONS
390Sstevel@tonic-gate * NetBIOS Working Group, March 1987
400Sstevel@tonic-gate */
410Sstevel@tonic-gate
420Sstevel@tonic-gate #include <fcntl.h>
430Sstevel@tonic-gate #include "snoop.h"
440Sstevel@tonic-gate #include <stdio.h>
450Sstevel@tonic-gate #include <ctype.h>
460Sstevel@tonic-gate #include "snoop.h"
470Sstevel@tonic-gate
480Sstevel@tonic-gate extern char *dlc_header;
490Sstevel@tonic-gate char *show_type();
500Sstevel@tonic-gate
510Sstevel@tonic-gate /* See snoop_smb.c */
520Sstevel@tonic-gate extern void interpret_smb(int flags, uchar_t *data, int len);
530Sstevel@tonic-gate
540Sstevel@tonic-gate /*
550Sstevel@tonic-gate * NBT Session Packet Header
560Sstevel@tonic-gate * [RFC 1002, Sec. 4.3.1]
570Sstevel@tonic-gate */
580Sstevel@tonic-gate struct nbt_ss {
590Sstevel@tonic-gate uchar_t type;
600Sstevel@tonic-gate uchar_t flags;
610Sstevel@tonic-gate ushort_t length;
620Sstevel@tonic-gate };
630Sstevel@tonic-gate
640Sstevel@tonic-gate /*
650Sstevel@tonic-gate * NBT Session Request Packet trailer
660Sstevel@tonic-gate * [RFC 1002, Sec. 4.3.2]
670Sstevel@tonic-gate */
680Sstevel@tonic-gate struct callnames {
690Sstevel@tonic-gate uchar_t space; /* padding */
700Sstevel@tonic-gate uchar_t calledname[32];
710Sstevel@tonic-gate uchar_t nullchar; /* padding */
720Sstevel@tonic-gate uchar_t space2; /* padding */
730Sstevel@tonic-gate uchar_t callingname[32];
740Sstevel@tonic-gate uchar_t nullchar2; /* padding */
750Sstevel@tonic-gate };
760Sstevel@tonic-gate
770Sstevel@tonic-gate
780Sstevel@tonic-gate static void interpret_netbios_names(int flags, uchar_t *data, int len,
790Sstevel@tonic-gate char *xtra);
800Sstevel@tonic-gate static void netbiosname2ascii(char *asciiname, uchar_t *netbiosname);
810Sstevel@tonic-gate
820Sstevel@tonic-gate /*
830Sstevel@tonic-gate * Helpers to read network-order values,
840Sstevel@tonic-gate * with NO alignment assumed.
850Sstevel@tonic-gate */
860Sstevel@tonic-gate static ushort_t
getshort(uchar_t * p)870Sstevel@tonic-gate getshort(uchar_t *p) {
880Sstevel@tonic-gate return (p[1] + (p[0]<<8));
890Sstevel@tonic-gate }
900Sstevel@tonic-gate static uint_t
getlong(uchar_t * p)910Sstevel@tonic-gate getlong(uchar_t *p)
920Sstevel@tonic-gate {
930Sstevel@tonic-gate return (p[3] + (p[2]<<8) + (p[1]<<16) + (p[0]<<24));
940Sstevel@tonic-gate }
950Sstevel@tonic-gate
960Sstevel@tonic-gate /*
970Sstevel@tonic-gate * NM_FLAGS fields in the NetBIOS Name Service Packet header.
980Sstevel@tonic-gate * [RFC 1002, Sec. 4.2.1.1]
990Sstevel@tonic-gate */
1000Sstevel@tonic-gate static void
print_flag_details(int headerflags)1010Sstevel@tonic-gate print_flag_details(int headerflags)
1020Sstevel@tonic-gate {
1030Sstevel@tonic-gate if (headerflags & 1<<4)
1040Sstevel@tonic-gate sprintf(get_line(0, 0), " - Broadcast");
1050Sstevel@tonic-gate if (headerflags & 1<<7)
1060Sstevel@tonic-gate sprintf(get_line(0, 0), " - Recursion Available");
1070Sstevel@tonic-gate if (headerflags & 1<<8)
1080Sstevel@tonic-gate sprintf(get_line(0, 0), " - Recursion Desired");
1090Sstevel@tonic-gate if (headerflags & 1<<9)
1100Sstevel@tonic-gate sprintf(get_line(0, 0), " - Truncation Flag");
1110Sstevel@tonic-gate if (headerflags & 1<<10)
1120Sstevel@tonic-gate sprintf(get_line(0, 0), " - Authoritative Answer");
1130Sstevel@tonic-gate }
1140Sstevel@tonic-gate
1150Sstevel@tonic-gate /*
1160Sstevel@tonic-gate * Possible errors in NetBIOS name service packets.
1170Sstevel@tonic-gate * [RFC 1002, Sec. 4.2.6, 4.2.11, 4.2.14]
1180Sstevel@tonic-gate */
1190Sstevel@tonic-gate static void
getrcodeerr(int headerflags,char * errortype)1200Sstevel@tonic-gate getrcodeerr(int headerflags, char *errortype)
1210Sstevel@tonic-gate {
1220Sstevel@tonic-gate int error = (headerflags & 0xf);
1230Sstevel@tonic-gate
1240Sstevel@tonic-gate switch (error) {
1250Sstevel@tonic-gate case 0:
1260Sstevel@tonic-gate sprintf(errortype, "Success");
1270Sstevel@tonic-gate break;
1280Sstevel@tonic-gate case 1:
1290Sstevel@tonic-gate sprintf(errortype, "Format Error");
1300Sstevel@tonic-gate break;
1310Sstevel@tonic-gate case 2:
1320Sstevel@tonic-gate sprintf(errortype, "Server Failure");
1330Sstevel@tonic-gate break;
1340Sstevel@tonic-gate case 3:
1350Sstevel@tonic-gate sprintf(errortype, "Name Error");
1360Sstevel@tonic-gate break;
1370Sstevel@tonic-gate case 4:
1380Sstevel@tonic-gate sprintf(errortype, "Unsupported Request Error");
1390Sstevel@tonic-gate break;
1400Sstevel@tonic-gate case 5:
1410Sstevel@tonic-gate sprintf(errortype, "Refused Error");
1420Sstevel@tonic-gate break;
1430Sstevel@tonic-gate case 6:
1440Sstevel@tonic-gate sprintf(errortype, "Active Error");
1450Sstevel@tonic-gate break;
1460Sstevel@tonic-gate case 7:
1470Sstevel@tonic-gate sprintf(errortype, "Name in Conflict Error");
1480Sstevel@tonic-gate break;
1490Sstevel@tonic-gate default:
1500Sstevel@tonic-gate sprintf(errortype, "Unknown Error");
1510Sstevel@tonic-gate break;
1520Sstevel@tonic-gate }
1530Sstevel@tonic-gate }
1540Sstevel@tonic-gate
1550Sstevel@tonic-gate /*
1560Sstevel@tonic-gate * OPCODE fields in the NetBIOS Name Service Packet header.
1570Sstevel@tonic-gate * [RFC 1002, Sec. 4.2.1.1]
1580Sstevel@tonic-gate */
1590Sstevel@tonic-gate static void
print_ns_type(int flags,int headerflags,char * xtra)1600Sstevel@tonic-gate print_ns_type(int flags, int headerflags, char *xtra)
1610Sstevel@tonic-gate {
1620Sstevel@tonic-gate int opcode = (headerflags & 0x7800)>>11;
1630Sstevel@tonic-gate int response = (headerflags & 1<<15);
1640Sstevel@tonic-gate char *resptype = response ? "Response" : "Request";
1650Sstevel@tonic-gate char *optype;
1660Sstevel@tonic-gate
1670Sstevel@tonic-gate switch (opcode) {
1680Sstevel@tonic-gate case 0:
1690Sstevel@tonic-gate optype = "Query";
1700Sstevel@tonic-gate break;
1710Sstevel@tonic-gate case 5:
1720Sstevel@tonic-gate optype = "Registration";
1730Sstevel@tonic-gate break;
1740Sstevel@tonic-gate case 6:
1750Sstevel@tonic-gate optype = "Release";
1760Sstevel@tonic-gate break;
1770Sstevel@tonic-gate case 7:
1780Sstevel@tonic-gate optype = "WACK";
1790Sstevel@tonic-gate break;
1800Sstevel@tonic-gate case 8:
1810Sstevel@tonic-gate optype = "Refresh";
1820Sstevel@tonic-gate break;
1830Sstevel@tonic-gate default:
1840Sstevel@tonic-gate optype = "Unknown";
1850Sstevel@tonic-gate break;
1860Sstevel@tonic-gate }
1870Sstevel@tonic-gate
1880Sstevel@tonic-gate if (flags & F_DTAIL)
1890Sstevel@tonic-gate sprintf(get_line(0, 0), "Type = %s %s", optype, resptype);
1900Sstevel@tonic-gate else
1910Sstevel@tonic-gate sprintf(xtra, "%s %s", optype, resptype);
1920Sstevel@tonic-gate }
1930Sstevel@tonic-gate
1940Sstevel@tonic-gate
1950Sstevel@tonic-gate /*
1960Sstevel@tonic-gate * Interpret Datagram Packets
1970Sstevel@tonic-gate * [RFC 1002, Sec. 4.4]
1980Sstevel@tonic-gate */
1990Sstevel@tonic-gate void
interpret_netbios_datagram(int flags,uchar_t * data,int len)2000Sstevel@tonic-gate interpret_netbios_datagram(int flags, uchar_t *data, int len)
2010Sstevel@tonic-gate {
2020Sstevel@tonic-gate char name[24];
2030Sstevel@tonic-gate int packettype = data[0];
2040Sstevel@tonic-gate int packetlen;
2050Sstevel@tonic-gate data++;
2060Sstevel@tonic-gate
2070Sstevel@tonic-gate if (packettype < 0x10 || packettype > 0x11)
2080Sstevel@tonic-gate return;
2090Sstevel@tonic-gate
2100Sstevel@tonic-gate if (flags & F_SUM) {
2110Sstevel@tonic-gate data += 14;
2120Sstevel@tonic-gate netbiosname2ascii(name, data);
2130Sstevel@tonic-gate sprintf(get_sum_line(),
2140Sstevel@tonic-gate "NBT Datagram Service Type=%d Source=%s",
2150Sstevel@tonic-gate packettype, name);
2160Sstevel@tonic-gate }
2170Sstevel@tonic-gate
2180Sstevel@tonic-gate if (flags & F_DTAIL) {
2190Sstevel@tonic-gate show_header("NBT: ", "Netbios Datagram Service Header", len);
2200Sstevel@tonic-gate show_space();
2210Sstevel@tonic-gate sprintf(get_line(0, 0), "Datagram Packet Type = 0x%.2x",
2220Sstevel@tonic-gate packettype);
2230Sstevel@tonic-gate sprintf(get_line(0, 0), "Datagram Flags = 0x%.2x",
2240Sstevel@tonic-gate data[0]);
2250Sstevel@tonic-gate data++;
2260Sstevel@tonic-gate sprintf(get_line(0, 0), "Datagram ID = 0x%.4x",
2270Sstevel@tonic-gate getshort(data));
2280Sstevel@tonic-gate data += 2;
2290Sstevel@tonic-gate sprintf(get_line(0, 0), "Source IP = %d.%d.%d.%d",
2300Sstevel@tonic-gate data[0], data[1], data[2], data[3]);
2310Sstevel@tonic-gate data += 4;
2320Sstevel@tonic-gate sprintf(get_line(0, 0), "Source Port = %d",
2330Sstevel@tonic-gate getshort(data));
2340Sstevel@tonic-gate data += 2;
2350Sstevel@tonic-gate packetlen = getshort(data);
2360Sstevel@tonic-gate sprintf(get_line(0, 0), "Datagram Length = 0x%.4x",
2370Sstevel@tonic-gate packetlen);
2380Sstevel@tonic-gate data += 2;
2390Sstevel@tonic-gate sprintf(get_line(0, 0), "Packet Offset = 0x%.4x",
2400Sstevel@tonic-gate getshort(data));
2410Sstevel@tonic-gate data += 3;
2420Sstevel@tonic-gate netbiosname2ascii(name, data);
2430Sstevel@tonic-gate sprintf(get_line(0, 0), "Source Name = %s", name);
2440Sstevel@tonic-gate data += 34;
2450Sstevel@tonic-gate netbiosname2ascii(name, data);
2460Sstevel@tonic-gate sprintf(get_line(0, 0), "Destination Name = %s", name);
2470Sstevel@tonic-gate sprintf(get_line(0, 0), "Number of data bytes remaining = %d",
2480Sstevel@tonic-gate packetlen - 68);
2490Sstevel@tonic-gate show_trailer();
2500Sstevel@tonic-gate }
2510Sstevel@tonic-gate }
2520Sstevel@tonic-gate
2530Sstevel@tonic-gate /*
2540Sstevel@tonic-gate * Interpret NetBIOS Name Service packets.
2550Sstevel@tonic-gate * [RFC 1002, Sec. 4.2]
2560Sstevel@tonic-gate */
2570Sstevel@tonic-gate void
interpret_netbios_ns(int flags,uchar_t * data,int len)2580Sstevel@tonic-gate interpret_netbios_ns(int flags, uchar_t *data, int len)
2590Sstevel@tonic-gate {
2600Sstevel@tonic-gate int headerflags, qcount, acount, nscount, arcount;
2610Sstevel@tonic-gate int transid;
2620Sstevel@tonic-gate char name[24];
2630Sstevel@tonic-gate char extra[256];
2640Sstevel@tonic-gate char errortype[50];
2650Sstevel@tonic-gate int rdatalen;
2660Sstevel@tonic-gate int rrflags;
2670Sstevel@tonic-gate int nameptr;
2680Sstevel@tonic-gate int nodecode;
2690Sstevel@tonic-gate char *nodetype;
2700Sstevel@tonic-gate uchar_t *data0 = data;
2710Sstevel@tonic-gate
2720Sstevel@tonic-gate transid = getshort(data); data += 2;
2730Sstevel@tonic-gate headerflags = getshort(data); data += 2;
2740Sstevel@tonic-gate qcount = getshort(data); data += 2;
2750Sstevel@tonic-gate acount = getshort(data); data += 2;
2760Sstevel@tonic-gate nscount = getshort(data); data += 2;
2770Sstevel@tonic-gate arcount = getshort(data); data += 2;
2780Sstevel@tonic-gate getrcodeerr(headerflags, errortype);
2790Sstevel@tonic-gate
2800Sstevel@tonic-gate if (flags & F_SUM) {
2810Sstevel@tonic-gate print_ns_type(flags, headerflags, extra);
2820Sstevel@tonic-gate data++;
2830Sstevel@tonic-gate netbiosname2ascii(name, data);
2840Sstevel@tonic-gate sprintf(get_sum_line(), "NBT NS %s for %s, %s",
2850Sstevel@tonic-gate extra, name, errortype);
2860Sstevel@tonic-gate
2870Sstevel@tonic-gate }
2880Sstevel@tonic-gate
2890Sstevel@tonic-gate
2900Sstevel@tonic-gate if (flags & F_DTAIL) {
2910Sstevel@tonic-gate show_header("NBT: ", "Netbios Name Service Header", len);
2920Sstevel@tonic-gate show_space();
2930Sstevel@tonic-gate print_ns_type(flags, headerflags, 0);
2940Sstevel@tonic-gate sprintf(get_line(0, 0), "Status = %s", errortype);
2950Sstevel@tonic-gate sprintf(get_line(0, 0), "Transaction ID = 0x%.4x", transid);
2960Sstevel@tonic-gate sprintf(get_line(0, 0), "Flags Summary = 0x%.4x",
2970Sstevel@tonic-gate headerflags);
2980Sstevel@tonic-gate print_flag_details(headerflags);
2990Sstevel@tonic-gate sprintf(get_line(0, 0), "Question count = %d", qcount);
3000Sstevel@tonic-gate sprintf(get_line(0, 0), "Answer Count = %d", acount);
3010Sstevel@tonic-gate sprintf(get_line(0, 0), "Name Service Count = %d", nscount);
3020Sstevel@tonic-gate sprintf(get_line(0, 0),
3030Sstevel@tonic-gate "Additional Record Count = %d", arcount);
3040Sstevel@tonic-gate
3050Sstevel@tonic-gate /*
3060Sstevel@tonic-gate * Question Section Packet Description from
3070Sstevel@tonic-gate * [RFC 1002, Sec. 4.2.1.2]
3080Sstevel@tonic-gate */
3090Sstevel@tonic-gate
3100Sstevel@tonic-gate if (qcount) {
3110Sstevel@tonic-gate data++;
3120Sstevel@tonic-gate netbiosname2ascii(name, data);
3130Sstevel@tonic-gate sprintf(get_line(0, 0), "Question Name = %s", name);
3140Sstevel@tonic-gate data += 33;
3150Sstevel@tonic-gate sprintf(get_line(0, 0), "Question Type = 0x%.4x",
3160Sstevel@tonic-gate getshort(data));
3170Sstevel@tonic-gate data += 2;
3180Sstevel@tonic-gate sprintf(get_line(0, 0), "Question Class = 0x%.4x",
3190Sstevel@tonic-gate getshort(data));
3200Sstevel@tonic-gate data += 2;
3210Sstevel@tonic-gate }
3220Sstevel@tonic-gate
3230Sstevel@tonic-gate /*
3240Sstevel@tonic-gate * Resrouce Record Packet Description from
3250Sstevel@tonic-gate * [RFC 1002, Sec. 4.2.1.3]
3260Sstevel@tonic-gate */
3270Sstevel@tonic-gate
3280Sstevel@tonic-gate if ((acount || nscount || arcount) ||
3290Sstevel@tonic-gate (qcount+acount+nscount+arcount == 0)) {
3300Sstevel@tonic-gate /* Second level encoding from RFC883 (p.31, 32) */
3310Sstevel@tonic-gate if (data[0] & 0xc0) {
3320Sstevel@tonic-gate nameptr = getshort(data)&0x3fff;
3330Sstevel@tonic-gate netbiosname2ascii(name, (data0+nameptr+1));
3340Sstevel@tonic-gate sprintf(get_line(0, 0),
3350Sstevel@tonic-gate "Resource Record Name = %s", name);
3360Sstevel@tonic-gate data += 2;
3370Sstevel@tonic-gate } else {
3380Sstevel@tonic-gate data++;
3390Sstevel@tonic-gate netbiosname2ascii(name, data);
3400Sstevel@tonic-gate sprintf(get_line(0, 0),
3410Sstevel@tonic-gate "Resource Record Name = %s", name);
3420Sstevel@tonic-gate data += 33;
3430Sstevel@tonic-gate }
3440Sstevel@tonic-gate sprintf(get_line(0, 0),
3450Sstevel@tonic-gate "Resource Record Type = 0x%.4x",
3460Sstevel@tonic-gate getshort(data));
3470Sstevel@tonic-gate data += 2;
3480Sstevel@tonic-gate sprintf(get_line(0, 0),
3490Sstevel@tonic-gate "Resource Record Class = 0x%.4x",
3500Sstevel@tonic-gate getshort(data));
3510Sstevel@tonic-gate data += 2;
3520Sstevel@tonic-gate sprintf(get_line(0, 0),
3530Sstevel@tonic-gate "Time to Live (Milliseconds) = %d",
3540Sstevel@tonic-gate getlong(data));
3550Sstevel@tonic-gate data += 4;
3560Sstevel@tonic-gate rdatalen = getshort(data);
3570Sstevel@tonic-gate sprintf(get_line(0, 0), "RDATA Length = 0x%.4x",
3580Sstevel@tonic-gate rdatalen);
3590Sstevel@tonic-gate data += 2;
3600Sstevel@tonic-gate /* 15.4.2.1.3 */
3610Sstevel@tonic-gate if (rdatalen == 6) {
3620Sstevel@tonic-gate rrflags = getshort(data);
3630Sstevel@tonic-gate data += 2;
3640Sstevel@tonic-gate sprintf(get_line(0, 0),
3650Sstevel@tonic-gate "Resource Record Flags = 0x%.4x",
3660Sstevel@tonic-gate rrflags);
3670Sstevel@tonic-gate nodecode = (rrflags>>13)& 0x11;
3680Sstevel@tonic-gate if (nodecode == 0) nodetype = "B";
3690Sstevel@tonic-gate if (nodecode == 1) nodetype = "P";
3700Sstevel@tonic-gate if (nodecode == 2) nodetype = "M";
3710Sstevel@tonic-gate sprintf(get_line(0, 0), " - %s, %s node",
3720Sstevel@tonic-gate (rrflags & 1<<15) ?
3730Sstevel@tonic-gate "Group NetBIOS Name":
3740Sstevel@tonic-gate "Unique NetBIOS Name", nodetype);
3750Sstevel@tonic-gate sprintf(get_line(0, 0),
3760Sstevel@tonic-gate "Owner IP Address = %d.%d.%d.%d",
3770Sstevel@tonic-gate data[0], data[1], data[2], data[3]);
3780Sstevel@tonic-gate }
3790Sstevel@tonic-gate }
3800Sstevel@tonic-gate show_trailer();
3810Sstevel@tonic-gate
3820Sstevel@tonic-gate }
3830Sstevel@tonic-gate }
3840Sstevel@tonic-gate
3850Sstevel@tonic-gate /*
3860Sstevel@tonic-gate * Interpret NetBIOS session packets.
3870Sstevel@tonic-gate * [RFC 1002, Sec. 4.3]
3880Sstevel@tonic-gate */
3890Sstevel@tonic-gate void
interpret_netbios_ses(int flags,uchar_t * data,int len)3900Sstevel@tonic-gate interpret_netbios_ses(int flags, uchar_t *data, int len)
3910Sstevel@tonic-gate {
3920Sstevel@tonic-gate struct nbt_ss *ss;
3930Sstevel@tonic-gate uchar_t *trailer;
3940Sstevel@tonic-gate int length = len - 4; /* NBT packet length without header */
3950Sstevel@tonic-gate char *type;
3960Sstevel@tonic-gate char extrainfo[300];
3970Sstevel@tonic-gate
3980Sstevel@tonic-gate if (len < sizeof (struct nbt_ss))
3990Sstevel@tonic-gate return;
4000Sstevel@tonic-gate
4010Sstevel@tonic-gate /*
4020Sstevel@tonic-gate * Packets that are fragments of a large NetBIOS session
4030Sstevel@tonic-gate * message will have no NetBIOS header. (Only the first
4040Sstevel@tonic-gate * TCP segment will have a NetBIOS header.) It turns out
4050Sstevel@tonic-gate * that very often, such fragments start with SMB data, so
4060Sstevel@tonic-gate * we should try to recognize and decode them.
4070Sstevel@tonic-gate */
4080Sstevel@tonic-gate if (data[0] == 0xff &&
4090Sstevel@tonic-gate data[1] == 'S' &&
4100Sstevel@tonic-gate data[2] == 'M' &&
4110Sstevel@tonic-gate data[3] == 'B') {
4120Sstevel@tonic-gate interpret_smb(flags, data, len);
4130Sstevel@tonic-gate return;
4140Sstevel@tonic-gate }
4150Sstevel@tonic-gate
4160Sstevel@tonic-gate /* LINTED PTRALIGN */
4170Sstevel@tonic-gate ss = (struct nbt_ss *)data;
4180Sstevel@tonic-gate trailer = data + sizeof (*ss);
4190Sstevel@tonic-gate extrainfo[0] = '\0';
4200Sstevel@tonic-gate
4210Sstevel@tonic-gate if (flags & F_SUM) {
4220Sstevel@tonic-gate switch (ss->type) {
4230Sstevel@tonic-gate case 0x00:
4240Sstevel@tonic-gate type = "SESSION MESSAGE";
4250Sstevel@tonic-gate break;
4260Sstevel@tonic-gate case 0x81:
4270Sstevel@tonic-gate type = "SESSION REQUEST";
4280Sstevel@tonic-gate interpret_netbios_names(flags, trailer,
4290Sstevel@tonic-gate length, extrainfo);
4300Sstevel@tonic-gate break;
4310Sstevel@tonic-gate case 0x82:
4320Sstevel@tonic-gate type = "POSITIVE SESSION RESPONSE";
4330Sstevel@tonic-gate break;
4340Sstevel@tonic-gate case 0x83:
4350Sstevel@tonic-gate type = "NEGATIVE SESSION RESPONSE";
4360Sstevel@tonic-gate break;
4370Sstevel@tonic-gate case 0x84:
4380Sstevel@tonic-gate type = "RETARGET SESSION RESPONSE";
4390Sstevel@tonic-gate break;
4400Sstevel@tonic-gate case 0x85:
4410Sstevel@tonic-gate type = "SESSION KEEP ALIVE";
4420Sstevel@tonic-gate break;
4430Sstevel@tonic-gate default:
4440Sstevel@tonic-gate type = "Unknown";
4450Sstevel@tonic-gate break;
4460Sstevel@tonic-gate }
4470Sstevel@tonic-gate (void) sprintf(get_sum_line(),
4480Sstevel@tonic-gate "NBT Type=%s %sLength=%d", type, extrainfo, length);
4490Sstevel@tonic-gate }
4500Sstevel@tonic-gate
4510Sstevel@tonic-gate if (flags & F_DTAIL) {
4520Sstevel@tonic-gate show_header("NBT: ", "NBT Header", len);
4530Sstevel@tonic-gate show_space();
4540Sstevel@tonic-gate
4550Sstevel@tonic-gate switch (ss->type) {
4560Sstevel@tonic-gate case 0x00:
4570Sstevel@tonic-gate (void) sprintf(get_line(0, 0),
4580Sstevel@tonic-gate "Type = SESSION MESSAGE");
4590Sstevel@tonic-gate break;
4600Sstevel@tonic-gate case 0x81:
4610Sstevel@tonic-gate (void) sprintf(get_line(0, 0),
4620Sstevel@tonic-gate "Type = SESSION REQUEST");
4630Sstevel@tonic-gate interpret_netbios_names(flags, trailer, length, 0);
4640Sstevel@tonic-gate break;
4650Sstevel@tonic-gate case 0x82:
4660Sstevel@tonic-gate (void) sprintf(get_line(0, 0),
4670Sstevel@tonic-gate "Type = POSITIVE SESSION RESPONSE");
4680Sstevel@tonic-gate break;
4690Sstevel@tonic-gate case 0x83:
4700Sstevel@tonic-gate (void) sprintf(get_line(0, 0),
4710Sstevel@tonic-gate "Type = NEGATIVE SESSION RESPONSE");
4720Sstevel@tonic-gate break;
4730Sstevel@tonic-gate case 0x84:
4740Sstevel@tonic-gate (void) sprintf(get_line(0, 0),
4750Sstevel@tonic-gate "Type = RETARGET SESSION RESPONSE");
4760Sstevel@tonic-gate break;
4770Sstevel@tonic-gate case 0x85:
4780Sstevel@tonic-gate (void) sprintf(get_line(0, 0),
4790Sstevel@tonic-gate "Type = SESSION KEEP ALIVE");
4800Sstevel@tonic-gate break;
4810Sstevel@tonic-gate default:
4820Sstevel@tonic-gate (void) sprintf(get_line(0, 0),
4830Sstevel@tonic-gate "Type = Unknown");
4840Sstevel@tonic-gate break;
4850Sstevel@tonic-gate }
4860Sstevel@tonic-gate
4870Sstevel@tonic-gate (void) sprintf(get_line(0, 0), "Length = %d bytes", length);
4880Sstevel@tonic-gate show_trailer();
4890Sstevel@tonic-gate }
4900Sstevel@tonic-gate
4910Sstevel@tonic-gate /*
4920Sstevel@tonic-gate * SMB packets have { 0xff, 'S', 'M', 'B' }
4930Sstevel@tonic-gate * in the first four bytes. If we find that,
4940Sstevel@tonic-gate * let snoop_smb.c have a look at it.
4950Sstevel@tonic-gate */
4960Sstevel@tonic-gate if (ss->type == 0x00 &&
4970Sstevel@tonic-gate length > 0 &&
4980Sstevel@tonic-gate trailer[0] == 0xff &&
4990Sstevel@tonic-gate trailer[1] == 'S' &&
5000Sstevel@tonic-gate trailer[2] == 'M' &&
5010Sstevel@tonic-gate trailer[3] == 'B')
502*7280Sblu interpret_smb(flags, trailer, length);
5030Sstevel@tonic-gate }
5040Sstevel@tonic-gate
5050Sstevel@tonic-gate /*
5060Sstevel@tonic-gate * NetBIOS name encoding (First Level Encoding)
5070Sstevel@tonic-gate * [RFC 1001, Sec. 4.1]
5080Sstevel@tonic-gate */
5090Sstevel@tonic-gate static void
netbiosname2ascii(char * aname,uchar_t * nbname)5100Sstevel@tonic-gate netbiosname2ascii(char *aname, uchar_t *nbname)
5110Sstevel@tonic-gate {
5120Sstevel@tonic-gate int c, i, j;
5130Sstevel@tonic-gate
5140Sstevel@tonic-gate i = j = 0;
5150Sstevel@tonic-gate for (;;) {
5160Sstevel@tonic-gate c = nbname[i++] - 'A';
5170Sstevel@tonic-gate c = (c << 4) +
5180Sstevel@tonic-gate nbname[i++] - 'A';
5190Sstevel@tonic-gate /* 16th char is the "type" */
5200Sstevel@tonic-gate if (i >= 32)
5210Sstevel@tonic-gate break;
5220Sstevel@tonic-gate if (iscntrl(c))
5230Sstevel@tonic-gate c = '.';
5240Sstevel@tonic-gate if (c != ' ')
5250Sstevel@tonic-gate aname[j++] = c;
5260Sstevel@tonic-gate }
5270Sstevel@tonic-gate sprintf(&aname[j], "[%x]", c);
5280Sstevel@tonic-gate }
5290Sstevel@tonic-gate
5300Sstevel@tonic-gate /*
5310Sstevel@tonic-gate * Interpret the names in a Session Request packet.
5320Sstevel@tonic-gate * [RFC 1002, Sec. 4.3.2]
5330Sstevel@tonic-gate */
5340Sstevel@tonic-gate static void
interpret_netbios_names(int flags,uchar_t * data,int len,char * xtra)5350Sstevel@tonic-gate interpret_netbios_names(int flags, uchar_t *data, int len, char *xtra)
5360Sstevel@tonic-gate {
5370Sstevel@tonic-gate char calledname[24];
5380Sstevel@tonic-gate char callingname[24];
5390Sstevel@tonic-gate struct callnames *names = (struct callnames *)data;
5400Sstevel@tonic-gate
5410Sstevel@tonic-gate if (len < sizeof (*names))
5420Sstevel@tonic-gate return;
5430Sstevel@tonic-gate
5440Sstevel@tonic-gate netbiosname2ascii(calledname, names->calledname);
5450Sstevel@tonic-gate netbiosname2ascii(callingname, names->callingname);
5460Sstevel@tonic-gate
5470Sstevel@tonic-gate if (flags & F_SUM) {
5480Sstevel@tonic-gate sprintf(xtra, "Dest=%s Source=%s ", calledname, callingname);
5490Sstevel@tonic-gate }
5500Sstevel@tonic-gate
5510Sstevel@tonic-gate if (flags & F_DTAIL) {
5520Sstevel@tonic-gate sprintf(get_line(0, 0), "Destination = %s", calledname);
5530Sstevel@tonic-gate sprintf(get_line(0, 0), "Source = %s", callingname);
5540Sstevel@tonic-gate }
5550Sstevel@tonic-gate }
556