diff options
author | Ulf Lamping <ulf.lamping@web.de> | 2004-12-19 16:13:05 +0000 |
---|---|---|
committer | Ulf Lamping <ulf.lamping@web.de> | 2004-12-19 16:13:05 +0000 |
commit | e3f96e79e7aadb5c0c1b2e9c7b09dfb8070675b0 (patch) | |
tree | ca1cb50806c6561cf604326753d684ea5b36524b /epan/dissectors/packet-dcom-oxid.c | |
parent | ae802a6a02d4c638d2e9f3b4641470cc47559925 (diff) |
add a lot of dissect stuff to the OXID resolver, moved some details of the DUALSTRINGARRAY to packet-dcom.c
svn path=/trunk/; revision=12779
Diffstat (limited to 'epan/dissectors/packet-dcom-oxid.c')
-rw-r--r-- | epan/dissectors/packet-dcom-oxid.c | 426 |
1 files changed, 238 insertions, 188 deletions
diff --git a/epan/dissectors/packet-dcom-oxid.c b/epan/dissectors/packet-dcom-oxid.c index c5d8694438..cc5906accc 100644 --- a/epan/dissectors/packet-dcom-oxid.c +++ b/epan/dissectors/packet-dcom-oxid.c @@ -32,241 +32,291 @@ #include <glib.h> #include <epan/packet.h> #include "packet-dcerpc.h" -#include "packet-dcerpc-dcom.h" -#include "packet-smb-common.h" +#include "packet-dcom.h" static int proto_oxid = -1; -static int hf_opnum = -1; -static int hf_COMVERSION_MjrVer = -1; -static int hf_COMVERSION_MnrVer = -1; -static int hf_wNumEntries = -1; -static int hf_wSecurityOffset = -1; -static int hf_wTowerId = -1; -static int hf_aNetworkAddr = -1; -static int hf_wAuthnSvc = -1; -static int hf_wAuthzSvc = -1; -static int hf_aPrinceName = -1; -static int hf_Unknown1 = -1; -static int hf_Unknown2 = -1; +static int hf_oxid_opnum = -1; +static int hf_oxid_setid = -1; +static int hf_oxid_seqnum = -1; +static int hf_oxid_addtoset = -1; +static int hf_oxid_delfromset = -1; +static int hf_oxid_oid = -1; +static int hf_oxid_ping_backoff_factor = -1; +static int hf_oxid_oxid = -1; +static int hf_oxid_requested_protseqs = -1; +static int hf_oxid_protseqs = -1; +static int hf_oxid_bindings = -1; +static int hf_oxid_ipid = -1; +static int hf_oxid_authn_hint = -1; + +static int hf_oxid_Unknown1 = -1; +static int hf_oxid_Unknown2 = -1; +static int hf_oxid_ds_array = -1; + static gint ett_oxid = -1; static e_uuid_t uuid_oxid = { 0x99fcfec4, 0x5260, 0x101b, { 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a } }; static guint16 ver_oxid = 0; -static const char * -authz_val2str(unsigned short authz) { - switch (authz) { - case 0: - return "RPC_C_AUTHZ_NONE"; - break; - case 1: - return "RPC_C_AUTHZ_NAME"; - break; - case 2: - return "RPC_C_AUTHZ_DCE"; - break; - case 0xffff: - return "Default"; - break; - default: - return "Unknown"; - break; + +static int +dissect_oxid_simple_ping_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + unsigned char pu64SetId[8]; + + + offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep, + hf_oxid_setid, pu64SetId); + + return offset; +} + + +static int +dissect_oxid_simple_ping_resp(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 u32HResult; + + + offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, + &u32HResult); + + if (check_col(pinfo->cinfo, COL_INFO)) { + col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s", + val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") ); } + + return offset; } -static const char * -authn_val2str(unsigned short authn) { - switch (authn) { - case 0: - return "RPC_C_AUTHN_NONE"; - break; - case 1: - return "RPC_C_AUTHN_DCE_PRIVATE"; - break; - case 2: - return "RPC_C_AUTHN_DCE_PUBLIC"; - break; - case 4: - return "RPC_C_AUTHN_DEC_PUBLIC"; - break; - case 9: - return "RPC_C_AUTHN_GSS_NEGOTIATE"; - break; - case 10: - return "RPC_C_AUTH_WINNT"; - break; - case 14: - return "RPC_C_AUTHN_GSS_SCHANNEL"; - break; - case 16: - return "RPC_C_AUTHN_GSS_KERBEROS"; - break; - case 17: - return "RPC_C_AUTHN_MSN"; - break; - case 18: - return "RPC_C_AUTHN_DPA"; - break; - case 100: - return "RPC_C_AUTHN_MQ"; - break; - case 0xffff: - return "RPC_C_AUTHN_DEFAULT"; - break; - default: - return "Unknown"; - break; + + +static int +dissect_oxid_complex_ping_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + unsigned char pu64SetId[8]; + guint16 u16SeqNum; + guint16 u16AddToSet; + guint16 u16DelFromSet; + guint32 u32Pointer; + guint32 u32ArraySize; + unsigned char pu64OId[8]; + + + offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep, + hf_oxid_setid, pu64SetId); + + offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep, + hf_oxid_seqnum, &u16SeqNum); + offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep, + hf_oxid_addtoset, &u16AddToSet); + offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep, + hf_oxid_delfromset, &u16DelFromSet); + + if (check_col(pinfo->cinfo, COL_INFO)) { + col_append_fstr(pinfo->cinfo, COL_INFO, " AddToSet=%u DelFromSet=%u", + u16AddToSet, u16DelFromSet); + } + + offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep, + &u32Pointer); + if (u32Pointer) { + offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep, + &u32ArraySize); + + while (u16AddToSet--) { + offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep, + hf_oxid_oid, pu64OId); + } } + + offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep, &u32Pointer); + + return offset; } -static const char * -towerid_val2str(unsigned short tower) { - switch (tower) { - case 0x4: - return "NCACN_DNET_NSP"; - break; - case 0x7: - return "NCACN_IP_TCP"; - break; - case 0x8: - return "NCADG_IP_UDP"; - break; - case 0x9: - return "NCACN_IP"; - case 0xC: - return "NCACN_SPX"; - break; - - case 0xD: - return "NCACN_NB_IPX"; - break; - case 0xE: - return "NCADG_IPX"; - break; - case 0x12: - return "NCACN_NB_NB"; - break; - case 0x1F: - return "NCACN_HTTP"; - break; - default: - return "Unknown"; - break; + +static int +dissect_oxid_complex_ping_resp(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + unsigned char pu64SetId[8]; + guint16 u16PingBackoffFactor; + guint32 u32HResult; + + + offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep, + hf_oxid_setid, pu64SetId); + offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep, + hf_oxid_ping_backoff_factor, &u16PingBackoffFactor); + + offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, + &u32HResult); + + if (check_col(pinfo->cinfo, COL_INFO)) { + col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s", + val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") ); } + + return offset; } + static int -oxid_server_alive2_dissect_rply(tvbuff_t *tvb, int offset, packet_info *pinfo, - proto_tree *tree, guint8 *drep) { - COMVERSION comver; - DUALSTRINGARRAY stringarray; - STRINGBINDING stringbind; - SECURITYBINDING securitybind; - proto_item *bind_hdr, *entries_hdr, *sec_hdr; - proto_tree *bind_tree, *entries_tree, *sec_tree; - char *aNetworkAddr = NULL; - char *aPrinceName = NULL; - unsigned short string_len = 0; - unsigned short security_len = 0; - unsigned char unknown1[8]; - unsigned char unknown2[8]; +dissect_oxid_resolve_oxid2_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + unsigned char pu64OxId[8]; + guint16 u16ProtSeqs; + guint32 u32ArraySize; + guint32 u32ItemIdx; + + + offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep, + hf_oxid_oxid, pu64OxId); - dissect_dcerpc_uint16(tvb, offset, pinfo, tree, drep, hf_COMVERSION_MjrVer, &comver.MajorVersion); - offset += sizeof(comver.MajorVersion); + offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep, + hf_oxid_requested_protseqs, &u16ProtSeqs); - dissect_dcerpc_uint16(tvb, offset, pinfo, tree, drep, hf_COMVERSION_MnrVer, &comver.MinorVersion); - offset += sizeof(comver.MinorVersion); + offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep, + &u32ArraySize); - dissect_dcerpc_uint64(tvb , offset, pinfo, tree, drep, hf_Unknown1, unknown1); + u32ItemIdx = 1; + while (u32ArraySize--) { + offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep, + hf_oxid_protseqs, &u16ProtSeqs); + u32ItemIdx++; + } - offset += sizeof(unknown1); /*FIXME - understand what those 8 bytes mean! don't skip'em!*/ - string_len = dcerpc_tvb_get_ntohs(tvb, offset, drep) * 2; - bind_hdr = proto_tree_add_text(tree, tvb, offset, (int)string_len, "DUALSTRINGARRAY structure"); - bind_tree = proto_item_add_subtree(bind_hdr, 0); + return offset; +} - dissect_dcerpc_uint16(tvb, offset, pinfo, bind_tree, drep, hf_wNumEntries, &stringarray.wNumEntries); - offset += sizeof(stringarray.wNumEntries); - security_len = dcerpc_tvb_get_ntohs(tvb, offset, drep) * 2; - dissect_dcerpc_uint16(tvb, offset, pinfo, bind_tree, drep, hf_wSecurityOffset, &stringarray.wSecurityOffset); - offset += sizeof(stringarray.wSecurityOffset); +static int +dissect_oxid_resolve_oxid2_resp(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, guint8 *drep) +{ + guint32 u32Pointer; + guint32 u32ArraySize; + e_uuid_t ipid; + guint32 u32AuthnHint; + guint16 u16VersionMajor; + guint16 u16VersionMinor; + guint32 u32HResult; - entries_hdr = proto_tree_add_text(bind_tree, tvb, offset, (int)security_len, "STRING BINDING"); - entries_tree = proto_item_add_subtree(entries_hdr, 0); - while(tvb_get_ntohs(tvb, offset) != 0) { /* check that this is not terminating zero */ - - stringbind.wTowerId = dcerpc_tvb_get_ntohs(tvb, offset, drep); - proto_tree_add_text(entries_tree, tvb, offset, sizeof(stringbind.wTowerId), "Network Protocol ('TowerID'): %s (0x%x)",towerid_val2str(stringbind.wTowerId), stringbind.wTowerId); + offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep, + &u32Pointer); + if (u32Pointer) { + offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep, + &u32ArraySize); - offset += sizeof(stringbind.wTowerId); + offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, drep, + hf_oxid_bindings); + + offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep, + hf_oxid_ipid, &ipid); - offset = display_unicode_string(tvb, entries_tree, offset, hf_aNetworkAddr, &aNetworkAddr); - } - offset += 2; /* hop over the extra terminating zero */ - - sec_hdr = proto_tree_add_text(bind_tree, tvb, offset, 0, "SECURITY BINDING"); - sec_tree = proto_item_add_subtree(sec_hdr, 0); + offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep, + hf_oxid_authn_hint, &u32AuthnHint); - while(tvb_get_ntohs(tvb, offset) != 0) { - securitybind.wAuthnSvc = dcerpc_tvb_get_ntohs(tvb, offset, drep); - proto_tree_add_text(sec_tree, tvb, offset, sizeof(securitybind.wAuthnSvc), "Authentication Service: %s (0x%x)",authn_val2str(securitybind.wAuthnSvc),securitybind.wAuthnSvc); - offset += sizeof(securitybind.wAuthnSvc); + offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, tree, drep, + &u16VersionMajor, &u16VersionMinor); + } - securitybind.wAuthzSvc = dcerpc_tvb_get_ntohs(tvb, offset, drep); - proto_tree_add_text(sec_tree, tvb, offset, sizeof(securitybind.wAuthzSvc), "Authorization Service: %s (0x%x)",authz_val2str(securitybind.wAuthzSvc),securitybind.wAuthzSvc); - offset += sizeof(securitybind.wAuthzSvc); + offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, + &u32HResult); - offset = display_unicode_string(tvb, sec_tree, offset, hf_aPrinceName, &aPrinceName); + if (check_col(pinfo->cinfo, COL_INFO)) { + col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s", + val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") ); } - offset += 2; /* hop over the extra terminating zero */ - - dissect_dcerpc_uint64(tvb, offset, pinfo, tree, drep, hf_Unknown2, unknown2); + + return offset; +} + + +static int +dissect_oxid_server_alive2_resp(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep) { + guint16 u16VersionMajor; + guint16 u16VersionMinor; + unsigned char unknown1[8]; + unsigned char unknown2[8]; + + + offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, tree, drep, &u16VersionMajor, &u16VersionMinor); + + /* XXX - understand what those 8 bytes mean! don't skip'em!*/ + dissect_dcerpc_uint64(tvb , offset, pinfo, tree, drep, hf_oxid_Unknown1, unknown1); + offset += sizeof(unknown1); + + offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, drep, hf_oxid_ds_array); + + /* unknown field 2 */ + dissect_dcerpc_uint64(tvb, offset, pinfo, tree, drep, hf_oxid_Unknown2, unknown2); offset += sizeof(unknown2); return offset; } + +/* XXX - some dissectors still need to be done */ static dcerpc_sub_dissector oxid_dissectors[] = { { 0, "ResolveOxid", NULL, NULL }, - { 1, "SimplePing", NULL, NULL }, - { 2, "ComplexPing", NULL, NULL }, + { 1, "SimplePing", dissect_oxid_simple_ping_rqst, dissect_oxid_simple_ping_resp }, + { 2, "ComplexPing", dissect_oxid_complex_ping_rqst, dissect_oxid_complex_ping_resp }, { 3, "ServerAlive", NULL, NULL }, - { 4, "ResolveOxid2", NULL, NULL }, - { 5, "ServerAlive2", NULL, oxid_server_alive2_dissect_rply }, + { 4, "ResolveOxid2", dissect_oxid_resolve_oxid2_rqst, dissect_oxid_resolve_oxid2_resp }, + { 5, "ServerAlive2", NULL, dissect_oxid_server_alive2_resp }, { 0, NULL, NULL, NULL }, }; + void proto_register_oxid (void) { static hf_register_info hf[] = { - { &hf_opnum, - { "Operation", "oxid.opnum", FT_UINT16, BASE_DEC, - NULL, 0x0, "", HFILL }}, - { &hf_COMVERSION_MjrVer, - { "COM Major Version", "oxid5.com_mjr_ver", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, - { &hf_COMVERSION_MnrVer, - { "COM Minor Version", "oxid5.com_mnr_ver", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, - { &hf_wNumEntries, - { "Total Entries length (in 16 bytes blocks)", "oxid5.NumEntries", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, - { &hf_wSecurityOffset, - { "Offset of Security Binding (in 16 bytes blocks)", "oxid5.SecurityOffset", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, - { &hf_wTowerId, - { "Network Protocol ('TowerID')", "oxid5.wTowerId", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, - { &hf_aNetworkAddr, - { "Network Address ('aNetworkAddr')", "oxid5.aNetworkAddr", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, - { &hf_wAuthnSvc, - { "Authentication Service", "oxid5.AuthnSvc", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, - { &hf_wAuthzSvc, - { "Autherization Service", "oxid5.AuthzSvc", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }}, - { &hf_aPrinceName, - { "aPrinceName", "oxid5.aPrinceName", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, - { &hf_Unknown1, + { &hf_oxid_opnum, + { "Operation", "oxid.opnum", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + + { &hf_oxid_setid, + { "SetId", "oxid_setid", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_oxid_seqnum, + { "SeqNum", "oxid_seqnum", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_oxid_addtoset, + { "AddToSet", "oxid_addtoset", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_oxid_delfromset, + { "DelFromSet", "oxid_delfromset", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_oxid_oid, + { "OID", "oxid_oid", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_oxid_ping_backoff_factor, + { "PingBackoffFactor", "oxid_ping_backoff_factor", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_oxid_oxid, + { "OXID", "oxid_oxid", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }}, + + { &hf_oxid_requested_protseqs, + { "RequestedProtSeq", "oxid_requested_protseqs", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_oxid_protseqs, + { "ProtSeq", "oxid_protseqs", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + + { &hf_oxid_bindings, + { "OxidBindings", "oxid_bindings", FT_NONE, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_oxid_ipid, + { "IPID", "oxid_ipid", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { &hf_oxid_authn_hint, + { "AuthnHint", "oxid_authn_hint", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + + { &hf_oxid_ds_array, + { "Address", "dcom.oxid.address", FT_NONE, BASE_NONE, NULL, 0x0, "", HFILL }}, + { &hf_oxid_Unknown1, { "unknown 8 bytes 1", "oxid5.unknown1", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }}, - { &hf_Unknown2, - { "unknown 8 bytes 2", "oxid5.unknown2", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_oxid_Unknown2, + { "unknown 8 bytes 2", "oxid5.unknown2", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }} }; static gint *ett[] = { &ett_oxid @@ -280,5 +330,5 @@ void proto_reg_handoff_oxid (void) { /* Register the protocol as dcerpc */ - dcerpc_init_uuid (proto_oxid, ett_oxid, &uuid_oxid, ver_oxid, oxid_dissectors, hf_opnum); + dcerpc_init_uuid (proto_oxid, ett_oxid, &uuid_oxid, ver_oxid, oxid_dissectors, hf_oxid_opnum); } |