/* packet-dcerpc.h * Copyright 2001, Todd Sabin * Copyright 2003, Tim Potter * * $Id: packet-dcerpc.h,v 1.35 2003/09/26 06:30:13 tpot Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifndef __PACKET_DCERPC_H__ #define __PACKET_DCERPC_H__ #include typedef struct _e_uuid_t { guint32 Data1; guint16 Data2; guint16 Data3; guint8 Data4[8]; } e_uuid_t; /* %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x */ #define DCERPC_UUID_STR_LEN 36+1 typedef struct _e_ctx_hnd { guint32 Data1; e_uuid_t uuid; } e_ctx_hnd; typedef struct _e_dce_cn_common_hdr_t { guint8 rpc_ver; guint8 rpc_ver_minor; guint8 ptype; guint8 flags; guint8 drep[4]; guint16 frag_len; guint16 auth_len; guint32 call_id; } e_dce_cn_common_hdr_t; typedef struct _e_dce_dg_common_hdr_t { guint8 rpc_ver; guint8 ptype; guint8 flags1; guint8 flags2; guint8 drep[3]; guint8 serial_hi; e_uuid_t obj_id; e_uuid_t if_id; e_uuid_t act_id; guint32 server_boot; guint32 if_ver; guint32 seqnum; guint16 opnum; guint16 ihint; guint16 ahint; guint16 frag_len; guint16 frag_num; guint8 auth_proto; guint8 serial_lo; } e_dce_dg_common_hdr_t; typedef struct _dcerpc_auth_info { guint8 auth_pad_len; guint8 auth_level; guint8 auth_type; guint32 auth_size; tvbuff_t *auth_data; } dcerpc_auth_info; #define PDU_REQ 0 #define PDU_PING 1 #define PDU_RESP 2 #define PDU_FAULT 3 #define PDU_WORKING 4 #define PDU_NOCALL 5 #define PDU_REJECT 6 #define PDU_ACK 7 #define PDU_CL_CANCEL 8 #define PDU_FACK 9 #define PDU_CANCEL_ACK 10 #define PDU_BIND 11 #define PDU_BIND_ACK 12 #define PDU_BIND_NAK 13 #define PDU_ALTER 14 #define PDU_ALTER_ACK 15 #define PDU_AUTH3 16 #define PDU_SHUTDOWN 17 #define PDU_CO_CANCEL 18 #define PDU_ORPHANED 19 /* * helpers for packet-dcerpc.c and packet-dcerpc-ndr.c * If you're writing a subdissector, you almost certainly want the * NDR functions below. */ guint16 dcerpc_tvb_get_ntohs (tvbuff_t *tvb, gint offset, char *drep); guint32 dcerpc_tvb_get_ntohl (tvbuff_t *tvb, gint offset, char *drep); void dcerpc_tvb_get_uuid (tvbuff_t *tvb, gint offset, char *drep, e_uuid_t *uuid); int dissect_dcerpc_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, guint8 *pdata); int dissect_dcerpc_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, guint16 *pdata); int dissect_dcerpc_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, guint32 *pdata); int dissect_dcerpc_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, unsigned char *pdata); int dissect_dcerpc_float (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, gfloat *pdata); int dissect_dcerpc_double (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, gdouble *pdata); int dissect_dcerpc_time_t (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, guint32 *pdata); /* * NDR routines for subdissectors. */ int dissect_ndr_uint8 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, guint8 *pdata); int dissect_ndr_uint16 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, guint16 *pdata); int dissect_ndr_uint32 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, guint32 *pdata); int dissect_ndr_uint64 (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, unsigned char *pdata); int dissect_ndr_float (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, gfloat *pdata); int dissect_ndr_double (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, gdouble *pdata); int dissect_ndr_time_t (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, guint32 *pdata); int dissect_ndr_uuid_t (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, e_uuid_t *pdata); int dissect_ndr_ctx_hnd (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, int hfindex, e_ctx_hnd *pdata); typedef int (dcerpc_dissect_fnct_t)(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, char *drep); typedef void (dcerpc_callback_fnct_t)(packet_info *pinfo, proto_tree *tree, proto_item *item, tvbuff_t *tvb, int start_offset, int end_offset, void *callback_args); #define NDR_POINTER_REF 1 #define NDR_POINTER_UNIQUE 2 #define NDR_POINTER_PTR 3 int dissect_ndr_pointer_cb(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, dcerpc_dissect_fnct_t *fnct, int type, char *text, int hf_index, dcerpc_callback_fnct_t *callback, void *callback_args); int dissect_ndr_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, dcerpc_dissect_fnct_t *fnct, int type, char *text, int hf_index); /* dissect a NDR unidimensional conformant array */ int dissect_ndr_ucarray(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, dcerpc_dissect_fnct_t *fnct); /* dissect a NDR unidimensional conformant and varying array */ int dissect_ndr_ucvarray(tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, dcerpc_dissect_fnct_t *fnct); int dissect_ndr_byte_array(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, char *drep); int dissect_ndr_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, char *drep, int size_is, int hfinfo, gboolean add_subtree, char **data); int dissect_ndr_char_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, char *drep); int dissect_ndr_wchar_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, char *drep); typedef struct _dcerpc_sub_dissector { guint16 num; gchar *name; dcerpc_dissect_fnct_t *dissect_rqst; dcerpc_dissect_fnct_t *dissect_resp; } dcerpc_sub_dissector; /* registration function for subdissectors */ void dcerpc_init_uuid (int proto, int ett, e_uuid_t *uuid, guint16 ver, dcerpc_sub_dissector *procs, int opnum_hf); char *dcerpc_get_proto_name(e_uuid_t *uuid, guint16 ver); dcerpc_sub_dissector *dcerpc_get_proto_sub_dissector(e_uuid_t *uuid, guint16 ver); /* Create a opnum, name value_string from a subdissector list */ value_string *value_string_from_subdissectors(dcerpc_sub_dissector *sd); /* Private data structure to pass to DCERPC dissector. This is used to pass transport specific information down to the dissector from the dissector that parsed this encapsulated calls. */ #define DCERPC_TRANSPORT_SMB 1 typedef struct _dcerpc_private_info { int transport_type; /* Tag */ union { struct { /* DCERPC_TRANSPORT_SMB */ guint16 fid; } smb; } data; } dcerpc_private_info; /* Private data passed to subdissectors from the main DCERPC dissector. */ typedef struct _dcerpc_call_value { e_uuid_t uuid; guint16 ver; guint16 opnum; guint32 req_frame; nstime_t req_time; guint32 rep_frame; guint32 max_ptr; void *private_data; } dcerpc_call_value; typedef struct _dcerpc_info { conversation_t *conv; /* Which TCP stream we are in */ guint32 call_id; /* Context id for this call */ guint16 smb_fid; /* FID for DCERPC over SMB */ gboolean request; gboolean conformant_run; gint32 conformant_eaten; /* how many bytes did the conformant run eat?*/ guint32 array_max_count; /* max_count for conformant arrays */ guint32 array_max_count_offset; guint32 array_offset; guint32 array_offset_offset; guint32 array_actual_count; guint32 array_actual_count_offset; int hf_index; dcerpc_call_value *call_data; void *private_data; } dcerpc_info; /* the registered subdissectors */ extern GHashTable *dcerpc_uuids; typedef struct _dcerpc_uuid_key { e_uuid_t uuid; guint16 ver; } dcerpc_uuid_key; typedef struct _dcerpc_uuid_value { int proto; int ett; gchar *name; dcerpc_sub_dissector *procs; int opnum_hf; } dcerpc_uuid_value; /* Authenticated pipe registration functions and miscellanea */ typedef tvbuff_t *(dcerpc_decode_data_fnct_t)(tvbuff_t *tvb, int offset, packet_info *pinfo, dcerpc_auth_info *auth_info); typedef struct _dcerpc_auth_subdissector_fns { /* Dissect credentials and verifiers */ dcerpc_dissect_fnct_t *bind_fn; dcerpc_dissect_fnct_t *bind_ack_fn; dcerpc_dissect_fnct_t *auth3_fn; dcerpc_dissect_fnct_t *req_verf_fn; dcerpc_dissect_fnct_t *resp_verf_fn; /* Decrypt encrypted requests/response PDUs */ dcerpc_decode_data_fnct_t *req_data_fn; dcerpc_decode_data_fnct_t *resp_data_fn; } dcerpc_auth_subdissector_fns; void register_dcerpc_auth_subdissector(guint8 auth_level, guint8 auth_type, dcerpc_auth_subdissector_fns *fns); /* Authentication services */ #define DCE_C_RPC_AUTHN_PROTOCOL_NONE 0 #define DCE_C_RPC_AUTHN_PROTOCOL_KRB5 1 #define DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO 9 #define DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP 10 #define DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN 68 /* Protection levels */ #define DCE_C_AUTHN_LEVEL_NONE 1 #define DCE_C_AUTHN_LEVEL_CONNECT 2 #define DCE_C_AUTHN_LEVEL_CALL 3 #define DCE_C_AUTHN_LEVEL_PKT 4 #define DCE_C_AUTHN_LEVEL_PKT_INTEGRITY 5 #define DCE_C_AUTHN_LEVEL_PKT_PRIVACY 6 #endif /* packet-dcerpc.h */