diff options
| author | Peter Wu <peter@lekensteyn.nl> | 2016-12-22 00:13:21 +0100 |
|---|---|---|
| committer | Peter Wu <peter@lekensteyn.nl> | 2016-12-22 00:13:21 +0100 |
| commit | 8d3900ef5f476b0a56590bb9e8ef37bf79fdff82 (patch) | |
| tree | db5000604aa9f2699752feb3da5bb4faa36f1cdc | |
| parent | 6ac75424e414ad5426b50a84e2ffa49124e149aa (diff) | |
| download | wireshark-notes-8d3900ef5f476b0a56590bb9e8ef37bf79fdff82.tar.gz | |
file-zip: decode External File Attributes
Found also hints via http://unix.stackexchange.com/q/14705/8250
Anslysis of unix/unix.c was done on Info-ZIP 6.0.
| -rw-r--r-- | lua/file-zip.lua | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/lua/file-zip.lua b/lua/file-zip.lua index 629904c..e4842d0 100644 --- a/lua/file-zip.lua +++ b/lua/file-zip.lua @@ -93,6 +93,10 @@ local version_req_def = { system = version_made_def.system, spec = {ProtoField.uint8, "Required ZIP specification version"} } +local attr_extern_def = { + _ = {ProtoField.uint32, "External file attributes", base.HEX}, + file_mode = {ProtoField.uint16, "File mode", base.OCT}, +} local extra_def = { _ = {ProtoField.none, "Extensible data fields"}, header_id = {ProtoField.uint16, base.HEX, { @@ -144,7 +148,7 @@ make_fields("zip_archive", { comment_len = {ProtoField.uint16, base.DEC}, disk_number = {ProtoField.uint16, base.DEC}, attr_intern = {ProtoField.uint16, base.HEX}, - attr_extern = {ProtoField.uint32, base.HEX}, + attr_extern = attr_extern_def, relative_offset = {ProtoField.uint32, base.HEX_DEC}, filename = {ProtoField.string}, extra = extra_def, @@ -234,6 +238,14 @@ local function dissect_flags(hfs, tvb, tree) flgtree:add_le(hfs.reserved, tvb) end +local function dissect_extern_attr(hfs, tvb, tree, os_version) + local ti = tree:add_le(hfs._, tvb) + if os_version == 3 then -- Unix + -- Info-ZIP stores file mode in higher bits (see unix/unix.c) + ti:add_le(hfs.file_mode, tvb(2, 2)) + end +end + local function dissect_extra(hfs, tvb, tree) local etree = tree:add(hfs._, tvb) local offset, length = 0, tvb:len() @@ -331,7 +343,7 @@ local function dissect_one(tvb, offset, pinfo, tree) subtree:add_le(hf.cd.comment_len, tvb(offset + 32, 2)) subtree:add_le(hf.cd.disk_number, tvb(offset + 34, 2)) subtree:add_le(hf.cd.attr_intern, tvb(offset + 36, 2)) - subtree:add_le(hf.cd.attr_extern, tvb(offset + 38, 4)) + dissect_extern_attr(hf.cd.attr_extern, tvb(offset + 38, 4), subtree, tvb(offset + 5, 1):le_uint()) subtree:add_le(hf.cd.relative_offset, tvb(offset + 42, 4)) local filename_len = tvb(offset + 28, 2):le_uint() |