diff options
author | Michael Mann <mmann78@netscape.net> | 2017-06-04 18:43:01 -0400 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2017-06-05 02:50:10 +0000 |
commit | aabb8fd5946110767479e2863ffe4fc40d63ac53 (patch) | |
tree | 5762e988188724cb42f13b67cd4caed064f98046 /epan/dissectors/packet-dcerpc.c | |
parent | b58e23846e4f21318efebca138f9aa3b0e26792d (diff) |
Add DCE/RPC over TCP dissector to "force" DCE/RPC when heuristics fail
Add a simple dissection function for DCE/RPC that just calls tcp_dissect_pdus
and doesn't do any heuristics checks. This can be used to handle cases
where TCP PDU is too small for DCE/RPC heuristics checks and user
knows the data is DCE/RPC and can set it through Decode As.
Bug: 6392
Change-Id: I9e4960282ea64d20499f7d5a330f48f30a092b30
Reviewed-on: https://code.wireshark.org/review/21951
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/dissectors/packet-dcerpc.c')
-rw-r--r-- | epan/dissectors/packet-dcerpc.c | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/epan/dissectors/packet-dcerpc.c b/epan/dissectors/packet-dcerpc.c index cd6060d82c..0840c8a169 100644 --- a/epan/dissectors/packet-dcerpc.c +++ b/epan/dissectors/packet-dcerpc.c @@ -5657,7 +5657,7 @@ dissect_dcerpc_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* da } static gboolean -dissect_dcerpc_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) +dissect_dcerpc_tcp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { dcerpc_decode_as_data* decode_data; @@ -5671,6 +5671,18 @@ dissect_dcerpc_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *da return TRUE; } +static int +dissect_dcerpc_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) +{ + dcerpc_decode_as_data* decode_data; + + decode_data = dcerpc_get_decode_data(pinfo); + decode_data->dcetransporttype = DCE_TRANSPORT_UNKNOWN; + + tcp_dissect_pdus(tvb, pinfo, tree, dcerpc_cn_desegment, 10, get_dcerpc_pdu_len, dissect_dcerpc_pdu, data); + return tvb_captured_length(tvb); +} + static gboolean dissect_dcerpc_cn_smbpipe(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) { @@ -6968,7 +6980,9 @@ proto_register_dcerpc(void) void proto_reg_handoff_dcerpc(void) { - heur_dissector_add("tcp", dissect_dcerpc_tcp, "DCE/RPC over TCP", "dcerpc_tcp", proto_dcerpc, HEURISTIC_ENABLE); + dissector_handle_t dcerpc_tcp_handle; + + heur_dissector_add("tcp", dissect_dcerpc_tcp_heur, "DCE/RPC over TCP", "dcerpc_tcp", proto_dcerpc, HEURISTIC_ENABLE); heur_dissector_add("netbios", dissect_dcerpc_cn_pk, "DCE/RPC over NetBios", "dcerpc_netbios", proto_dcerpc, HEURISTIC_ENABLE); heur_dissector_add("udp", dissect_dcerpc_dg, "DCE/RPC over UDP", "dcerpc_udp", proto_dcerpc, HEURISTIC_ENABLE); heur_dissector_add("smb_transact", dissect_dcerpc_cn_smbpipe, "DCE/RPC over SMB", "dcerpc_smb_transact", proto_dcerpc, HEURISTIC_ENABLE); @@ -6976,6 +6990,9 @@ proto_reg_handoff_dcerpc(void) heur_dissector_add("http", dissect_dcerpc_cn_bs, "DCE/RPC over HTTP", "dcerpc_http", proto_dcerpc, HEURISTIC_ENABLE); dcerpc_smb_init(proto_dcerpc); + dcerpc_tcp_handle = create_dissector_handle(dissect_dcerpc_tcp, proto_dcerpc); + dissector_add_for_decode_as("tcp.port", dcerpc_tcp_handle); + guids_add_uuid(&uuid_data_repr_proto, "32bit NDR"); guids_add_uuid(&uuid_ndr64, "64bit NDR"); guids_add_uuid(&uuid_asyncemsmdb, "async MAPI"); |