Age | Commit message (Collapse) | Author | Files | Lines |
|
I have a little additional patch, that makes it easier to see what which bytes
are not caught by the sub_dissector.
And it makes it easy to select and export the full payload to a file.
svn path=/trunk/; revision=19987
|
|
This patch fixes some problems with encrypted DCERPC traffic
svn path=/trunk/; revision=19971
|
|
reported by Benjamin Meyer
WireShark marks DCE RPC FACKs as "malformed" if they do not have a body.
According to DCE RPC Spec. 1.1 FACKs "may contain" a body PTU.
I am unable to build WireShark (lack of time to install all neccessary stuff)
but I looked at the SourceCode. I think, at least this has to be fixed:
file: epan/dissectors/packet-dcerpc.c
function: static gboolean dissect_dcerpc_dg (tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree)
*snip*
case PDU_FACK
dissect_dcerpc_dg_fack (tvb, offset, pinfo, dcerpc_tree, &hdr);
break;
*snap*
I guess, it should look like "case PDU_NOCALL:" directly above.
svn path=/trunk/; revision=19952
|
|
svn path=/trunk/; revision=19640
|
|
I have figured out one of the fields in the MAPI
EcRRegisterPushNotification packet. The field is a UDP port number that
the client wants the Exchange server to send new mail notifications on.
These notifications are on a port > 1023 and are always 8 bytes long.
It looks like I would add the function name to the
dcerpc_mapi_dissectors[] for the register push notification. What would
my new function need to do besides display the field?
Thanks,
Steve
Here is a patch to add this functionality. It displays the notification
port and the notification payload (not sure what the payload itself
means yet). It also dynamically registers each notification port found
with a new dissector (that I called newmail for lack of a better name -
I'm open to suggestions) that displays the notification payload. This
is all undocumented by Microsoft in their usual fashion.
I also changed the code to always display the mapi.opnum field;
currently, the mapi.opnum is only displayed when the
dcerpc_mapi_dissector is null.
Steve
svn path=/trunk/; revision=19350
|
|
svn path=/trunk/; revision=19309
|
|
dont try dcerpc reassembly of fragments if we dont have the entire pdu
only call the heuristical dissectors once from smb/pipe as per guy(?)s comments about idempotence.
when doing reassembly, the dcerpc dissector is indeed not idempotent any more.
svn path=/trunk/; revision=19304
|
|
dissector functions (dcv->private_data) for things such as strings and sids is a mess and very difficult to handle without a lot of memory leakage.
the biggest problem in changing this is the dcv->private_data usage.
add a dcv->se_data which can keep data around from a request to a response and use this to change the LSA/OpenPolicy2 servername passing from request to response as a test pattern of moving all users of dcv->private data over to use dcv->se_data.
once all users are migrated over we can then change the dcv->private data pointer to be of ep scope and thus not need an explicit free (which is quite difficult and it is quite difficult in the old semantics to know WHEN we need to free this pointer)
this will eventually make the usage more clean and at the same time close down quite a few memory leaks.
eventually this will make dissect_ndr_nt_SID return a pointer to ep allocated memory that need not be explicitely freed.
svn path=/trunk/; revision=19226
|
|
remove some minor details)
svn path=/trunk/; revision=19176
|
|
Fix indentation.
svn path=/trunk/; revision=19114
|
|
svn path=/trunk/; revision=19065
|
|
other protocols such as ldap and smb/smb2
move the initialization of the guid mapping table from the dcerpc dissector to a more neutral place
svn path=/trunk/; revision=18947
|
|
most of the relevant code moved to guid_utils
lot of corresponding code cleanup in packet-dcerpc.c
still using GHashTable
still not using a manuf like file
svn path=/trunk/; revision=18939
|
|
non-win32 works
svn path=/trunk/; revision=18936
|
|
I think I've changed all corresponding appearances from FT_STRING to FT_GUID, so assert the FT_ type as it should only be a FT_GUID now.
Add a generic implementation in guid_utils.h to have a way to store data about GUID to name resolving (something like value_string for e.g. int). It might be better to have a single registry for all GUID's of all dissectors and implement the GUID name resolving into the proto_tree_add... functions.
svn path=/trunk/; revision=18935
|
|
these fields can help with the everyday work of the DCE/RPC (and upper) protocol dissections
svn path=/trunk/; revision=18784
|
|
variable names
svn path=/trunk/; revision=18688
|
|
bind information,
add a generated field telling the user and add an expert info entry
This often happens when the capture misses the binding procedure at the beginning of a conversation "capture start too late".
svn path=/trunk/; revision=18687
|
|
svn path=/trunk/; revision=18675
|
|
as this is a common behaviour
svn path=/trunk/; revision=18634
|
|
svn path=/trunk/; revision=18613
|
|
char * (just like all the other dissect_dcerpc_...() functions).
This should fix some "differ in signedness" warnings (and maybe will raise new ones, which should be fixed at the calling places then)
svn path=/trunk/; revision=18605
|
|
svn path=/trunk/; revision=18578
|
|
switched to UNICODE compilation
I thought there was a bugzilla entry about this, but couldn't find it
svn path=/trunk/; revision=18561
|
|
svn path=/trunk/; revision=18470
|
|
svn path=/trunk/; revision=18437
|
|
svn path=/trunk/; revision=18196
|
|
svn path=/trunk/; revision=18097
|
|
if decryption failed there was a possibility to dereference a null pointer
svn path=/trunk/; revision=17657
|
|
svn path=/trunk/; revision=17551
|
|
svn path=/trunk/; revision=17538
|
|
use UTF-16 internally and GTK+ 2.x uses UTF-8, which means we have to
do a lots of conversions.
Add utf_8to16() and utf_16to8 convenience functions to strutil.c.
svn path=/trunk/; revision=17534
|
|
svn path=/trunk/; revision=17316
|
|
svn path=/trunk/; revision=17053
|
|
it does not yet multiplex between different files but it is better than nothing
svn path=/trunk/; revision=16484
|
|
a capture file. This should fix bug #536.
Make sure we initialize our hash tables in packet-dcerpc-nt.c and several
other files. Fix up whitespace while we're at it.
svn path=/trunk/; revision=16255
|
|
I've changed all settings I could find to TRUE. It might be reasonable to change some protocol settings back to FALSE, if reassembling fails very often.
svn path=/trunk/; revision=16048
|
|
"dissect_dcerpc_cn_bs_body()", it's because it recognized the packet as
a DCE RPC packet, but it ran out of data dissecting it as such;
increment the count of DCE RPC PDUs, so "dissect_dcerpc_cn_bs_body()"
returns TRUE, and its caller doesn't think nothing was dissected.
Fuzzed with some DCE RPC captures.
svn path=/trunk/; revision=16000
|
|
svn path=/trunk/; revision=15974
|
|
svn path=/trunk/; revision=15962
|
|
svn path=/trunk/; revision=15892
|
|
svn path=/trunk/; revision=15841
|
|
svn path=/trunk/; revision=15803
|
|
it is detected the pdu is "short"
svn path=/trunk/; revision=15796
|
|
svn path=/trunk/; revision=15771
|
|
Unfortunately, I don't have a capture file to test this...
svn path=/trunk/; revision=15763
|
|
fragment_add_seq_next() function instead of fragment_add()
in addition, I had to implement fragment_get_reassembled() in addition to fragment_get(), which works with reassembled_table
svn path=/trunk/; revision=15762
|
|
as connection oriented (cn) and connectionless (dg) DCE/RPC uses different ways to handle defragmentation and this function is only used for dg
svn path=/trunk/; revision=15757
|
|
dependencies)
svn path=/trunk/; revision=15755
|
|
where others might have a look and probably already find it useful :-). Anyway, we can easily disable it at one or two places in the code if it get's in our way of a new release.
Please see: http://wiki.ethereal.com/Development/ExpertInfo for a complete overview of the intended feature and it's current state of implementation.
While I'm working on this, I've also added some more status result codes to the DCE/RPC and DCOM dissectors.
svn path=/trunk/; revision=15754
|