From 416bd9a108cef32c870d1731efb82cfffa0760b8 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni@gmail.com>
Date: Thu, 1 Sep 2016 23:52:33 +0300
Subject: smb: parse user quota change time

In SMB user quota records, parse unknown 8-byte field
as quota record's last change time

(source - [MS-FSCC] 2.4.33)

Change-Id: I1f2839934fc0ab8e3d38105e02ef91a547256a70
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-on: https://code.wireshark.org/review/17440
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 epan/dissectors/packet-smb.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c
index e64fec5ee9..561df79dd7 100644
--- a/epan/dissectors/packet-smb.c
+++ b/epan/dissectors/packet-smb.c
@@ -684,6 +684,7 @@ static int hf_smb_quota_flags_log_warning = -1;
 static int hf_smb_soft_quota_limit = -1;
 static int hf_smb_hard_quota_limit = -1;
 static int hf_smb_user_quota_used = -1;
+static int hf_smb_user_quota_change_time = -1;
 static int hf_smb_length_of_sid = -1;
 static int hf_smb_user_quota_offset = -1;
 static int hf_smb_nt_rename_level = -1;
@@ -8276,11 +8277,10 @@ dissect_nt_user_quota(tvbuff_t *tvb, proto_tree *tree, int offset, guint16 *bcp)
 		proto_tree_add_item(tree, hf_smb_length_of_sid, tvb, offset, 4, ENC_LITTLE_ENDIAN);
 		COUNT_BYTES_TRANS_SUBR(4);
 
-		/* 16 unknown bytes */
+		/* change time */
 		CHECK_BYTE_COUNT_TRANS_SUBR(8);
-		proto_tree_add_item(tree, hf_smb_unknown, tvb,
-			    offset, 8, ENC_NA);
-		COUNT_BYTES_TRANS_SUBR(8);
+		offset = dissect_nt_64bit_time(tvb, tree, offset,
+			hf_smb_user_quota_change_time);
 
 		/* number of bytes for used quota */
 		CHECK_BYTE_COUNT_TRANS_SUBR(8);
@@ -19959,6 +19959,10 @@ proto_register_smb(void)
 		{ "Read Only Volume", "smb.fs_attr.rov", FT_BOOLEAN, 32,
 		TFS(&tfs_fs_attr_rov), 0x00080000, "Is this FS on a read only volume?", HFILL }},
 
+	{ &hf_smb_user_quota_change_time,
+		{ "Change Time", "smb.quota.user.change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
+		NULL, 0x0, "The last time the quota was changed", HFILL }},
+
 	{ &hf_smb_length_of_sid,
 		{ "Length of SID", "smb.length_of_sid", FT_UINT32, BASE_DEC,
 		NULL, 0x0, NULL, HFILL }},
-- 
cgit v1.2.1