2004-07-10 07:16:55 +00:00
|
|
|
/* packet-dcerpc-frsrpc.c
|
|
|
|
* Routines for the frs (File Replication Service) MSRPC interface
|
|
|
|
* Copyright 2004 Jean-Baptiste Marchand <jbm@hsc.fr>
|
|
|
|
*
|
2004-07-18 00:24:25 +00:00
|
|
|
* $Id$
|
2004-07-10 07:16:55 +00:00
|
|
|
*
|
2006-05-21 04:49:01 +00:00
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
2004-07-10 07:16:55 +00:00
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
#include "config.h"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <glib.h>
|
|
|
|
#include <epan/packet.h>
|
|
|
|
#include "packet-dcerpc.h"
|
|
|
|
#include "packet-dcerpc-frsrpc.h"
|
2007-11-01 20:33:35 +00:00
|
|
|
#include "packet-smb-common.h"
|
|
|
|
#include "packet-windows-common.h"
|
2004-07-10 07:16:55 +00:00
|
|
|
|
2007-11-01 20:33:35 +00:00
|
|
|
static int proto_dcerpc_frsrpc = -1;
|
2004-07-10 07:16:55 +00:00
|
|
|
|
2007-11-01 20:33:35 +00:00
|
|
|
static int hf_frsrpc_opnum = -1;
|
|
|
|
static int hf_frsrpc_tlvsize = -1;
|
|
|
|
static int hf_frsrpc_tlv = -1;
|
|
|
|
static int hf_frsrpc_tlv_item = -1;
|
|
|
|
static int hf_frsrpc_tlv_tag = -1;
|
|
|
|
static int hf_frsrpc_tlv_size = -1;
|
|
|
|
static int hf_frsrpc_tlv_data = -1;
|
|
|
|
static int hf_frsrpc_unknown32 = -1;
|
|
|
|
static int hf_frsrpc_unknownbytes = -1;
|
|
|
|
static int hf_frsrpc_guid_size = -1;
|
|
|
|
static int hf_frsrpc_ssrv_guid = -1;
|
|
|
|
static int hf_frsrpc_dsrv_guid = -1;
|
|
|
|
static int hf_frsrpc_str_size = -1;
|
|
|
|
static int hf_frsrpc_ssrv = -1;
|
|
|
|
static int hf_frsrpc_dsrv = -1;
|
|
|
|
static int hf_frsrpc_timestamp = -1;
|
2004-07-10 07:16:55 +00:00
|
|
|
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
static gint ett_dcerpc_frsrpc = -1;
|
|
|
|
static gint ett_frsrpc_tlv = -1;
|
|
|
|
static gint ett_frsrpc_tlv_item = -1;
|
2004-07-10 07:16:55 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
IDL [ uuid(f5cc59b4-4264-101a-8c59-08002b2f8426),
|
|
|
|
IDL version(1.1),
|
|
|
|
IDL implicit_handle(handle_t rpc_binding)
|
|
|
|
IDL ] interface frsrpc
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
static e_uuid_t uuid_dcerpc_frsrpc = {
|
|
|
|
0xf5cc59b4, 0x4264, 0x101a,
|
|
|
|
{ 0x8c, 0x59, 0x08, 0x00, 0x2b, 0x2f, 0x84, 0x26 }
|
|
|
|
};
|
|
|
|
|
|
|
|
static guint16 ver_dcerpc_frsrpc = 1;
|
|
|
|
|
2007-11-01 20:33:35 +00:00
|
|
|
#define TLV_SSRV 3
|
|
|
|
#define TLV_DSRV 4
|
|
|
|
#define TLV_TS 18
|
|
|
|
static const value_string tag_vals[] = {
|
|
|
|
{TLV_SSRV, "SOURCE SERVER"},
|
|
|
|
{TLV_DSRV, "DESTINATION SERVER"},
|
|
|
|
{TLV_TS, "TIMESTAMP"},
|
|
|
|
{0,NULL}
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
dissect_tlv_ssrv(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, guint8 *drep)
|
|
|
|
{
|
|
|
|
int offset = 0;
|
|
|
|
const char *dn;
|
|
|
|
int dn_len;
|
|
|
|
guint16 bc;
|
|
|
|
|
|
|
|
/* a GUID */
|
|
|
|
proto_tree_add_item(tree, hf_frsrpc_guid_size, tvb, offset, 4, TRUE);
|
|
|
|
offset+=4;
|
|
|
|
|
|
|
|
offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_frsrpc_ssrv_guid, NULL);
|
|
|
|
|
|
|
|
|
|
|
|
/* the name of the source server sending this */
|
|
|
|
proto_tree_add_item(tree, hf_frsrpc_str_size, tvb, offset, 4, TRUE);
|
|
|
|
dn_len = tvb_get_ntohl(tvb, offset);
|
|
|
|
offset+=4;
|
|
|
|
|
|
|
|
bc = tvb_length_remaining(tvb, offset);
|
|
|
|
dn = get_unicode_or_ascii_string(tvb, &offset, TRUE, &dn_len, TRUE, TRUE, &bc);
|
|
|
|
proto_tree_add_string(tree, hf_frsrpc_ssrv, tvb, offset, dn_len, dn);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dissect_tlv_dsrv(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, guint8 *drep)
|
|
|
|
{
|
|
|
|
int offset = 0;
|
|
|
|
const char *dn;
|
|
|
|
int dn_len;
|
|
|
|
guint16 bc;
|
|
|
|
|
|
|
|
/* a GUID */
|
|
|
|
proto_tree_add_item(tree, hf_frsrpc_guid_size, tvb, offset, 4, TRUE);
|
|
|
|
offset+=4;
|
|
|
|
|
|
|
|
offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_frsrpc_dsrv_guid, NULL);
|
|
|
|
|
|
|
|
|
|
|
|
/* the name of the source server sending this */
|
|
|
|
proto_tree_add_item(tree, hf_frsrpc_str_size, tvb, offset, 4, TRUE);
|
|
|
|
dn_len = tvb_get_ntohl(tvb, offset);
|
|
|
|
offset+=4;
|
|
|
|
|
|
|
|
bc = tvb_length_remaining(tvb, offset);
|
|
|
|
dn = get_unicode_or_ascii_string(tvb, &offset, TRUE, &dn_len, TRUE, TRUE, &bc);
|
|
|
|
proto_tree_add_string(tree, hf_frsrpc_dsrv, tvb, offset, dn_len, dn);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
dissect_tlv_ts(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, guint8 *drep _U_)
|
|
|
|
{
|
|
|
|
dissect_nt_64bit_time(tvb, tree, 0, hf_frsrpc_timestamp);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
dissect_TLV_blob(packet_info *pinfo, proto_tree *parent_tree, tvbuff_t *tvb, guint8 *drep)
|
|
|
|
{
|
|
|
|
proto_item *item = NULL;
|
|
|
|
proto_tree *tree = NULL;
|
|
|
|
proto_item *tlv_item = NULL;
|
|
|
|
proto_tree *tlv_tree = NULL;
|
|
|
|
unsigned int offset = 0;
|
|
|
|
guint16 tag;
|
|
|
|
guint32 size;
|
|
|
|
|
|
|
|
item = proto_tree_add_item(parent_tree, hf_frsrpc_tlv, tvb, offset, -1, TRUE);
|
|
|
|
tree = proto_item_add_subtree(item, ett_frsrpc_tlv);
|
|
|
|
|
|
|
|
while (offset < tvb_length(tvb)) {
|
|
|
|
unsigned int old_offset = offset;
|
|
|
|
tvbuff_t *next_tvb;
|
|
|
|
|
|
|
|
tlv_item = proto_tree_add_item(tree, hf_frsrpc_tlv_item, tvb, offset, -1, TRUE);
|
|
|
|
tlv_tree = proto_item_add_subtree(tlv_item, ett_frsrpc_tlv_item);
|
|
|
|
|
|
|
|
tag = tvb_get_letohs(tvb, offset);
|
|
|
|
proto_tree_add_item(tlv_tree, hf_frsrpc_tlv_tag, tvb, offset, 2, TRUE);
|
|
|
|
offset+=2;
|
|
|
|
proto_item_append_text(tlv_item, " %s", val_to_str(tag, tag_vals, "UNKNOWN TAG:0x%x"));
|
|
|
|
|
|
|
|
|
|
|
|
size = tvb_get_letohl(tvb, offset);
|
|
|
|
proto_tree_add_item(tlv_tree, hf_frsrpc_tlv_size, tvb, offset, 2, TRUE);
|
|
|
|
offset+=4;
|
|
|
|
|
|
|
|
next_tvb = tvb_new_subset(tvb, offset, size, size);
|
|
|
|
switch (tag) {
|
|
|
|
case TLV_SSRV:
|
|
|
|
dissect_tlv_ssrv(pinfo, tlv_tree, next_tvb, drep);
|
|
|
|
break;
|
|
|
|
case TLV_DSRV:
|
|
|
|
dissect_tlv_dsrv(pinfo, tlv_tree, next_tvb, drep);
|
|
|
|
break;
|
|
|
|
case TLV_TS:
|
|
|
|
dissect_tlv_ts(pinfo, tlv_tree, next_tvb, drep);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
proto_tree_add_item(tlv_tree, hf_frsrpc_tlv_data, next_tvb, 0, size, TRUE);
|
|
|
|
}
|
|
|
|
offset+=size;
|
|
|
|
|
|
|
|
proto_item_set_len(tlv_item, offset-old_offset);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
frsrpc_dissect_SendCommPkt_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
|
|
{
|
|
|
|
tvbuff_t *next_tvb;
|
|
|
|
guint32 tlvsize;
|
|
|
|
dcerpc_info *di;
|
|
|
|
|
|
|
|
di=pinfo->private_data;
|
|
|
|
pinfo->dcerpc_procedure_name="SendCommPkt";
|
|
|
|
|
|
|
|
if(di->conformant_run){
|
|
|
|
/* just a run to handle conformant arrays, no scalars to dissect */
|
|
|
|
return offset;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* 16 unknown bytes */
|
|
|
|
proto_tree_add_item(tree, hf_frsrpc_unknownbytes, tvb, offset, 16, TRUE);
|
|
|
|
offset+=16;
|
|
|
|
|
|
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_frsrpc_tlvsize, 0);
|
|
|
|
|
|
|
|
/* 16 unknown bytes */
|
|
|
|
proto_tree_add_item(tree, hf_frsrpc_unknownbytes, tvb, offset, 16, TRUE);
|
|
|
|
offset+=16;
|
|
|
|
|
|
|
|
/* this is a subcontext that starts with the length of the data in bytes
|
|
|
|
followed by concatenated TLV values.
|
|
|
|
this is NOT ndr encoded
|
|
|
|
*/
|
|
|
|
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, tree, drep, hf_frsrpc_tlvsize, &tlvsize);
|
|
|
|
next_tvb = tvb_new_subset(tvb, offset, tlvsize, tlvsize);
|
|
|
|
dissect_TLV_blob(pinfo, tree, next_tvb, drep);
|
|
|
|
offset+=tlvsize;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
proto_tree_add_item(tree, hf_frsrpc_unknownbytes, tvb, offset, -1, TRUE);
|
|
|
|
offset += tvb_length_remaining(tvb, offset);
|
|
|
|
|
|
|
|
return offset;
|
|
|
|
}
|
2004-07-10 07:16:55 +00:00
|
|
|
|
|
|
|
static dcerpc_sub_dissector dcerpc_frsrpc_dissectors[] = {
|
|
|
|
{ FRSRPC_SEND_COMM_PKT, "FrsRpcSendCommPkt",
|
2007-11-01 20:33:35 +00:00
|
|
|
frsrpc_dissect_SendCommPkt_request, NULL },
|
2004-07-10 07:16:55 +00:00
|
|
|
{ FRSRPC_VERIFY_PROMOTION_PARENT, "FrsRpcVerifyPromotionParent",
|
|
|
|
NULL, NULL },
|
|
|
|
{ FRSRPC_START_PROMOTION_PARENT, "FrsRpcStartPromotionParent",
|
|
|
|
NULL, NULL },
|
|
|
|
{ FRSRPC_NOP, "FrsRpcNop", NULL, NULL },
|
|
|
|
/* operations 4 to 9 are apparently identical */
|
|
|
|
{ FRSRPC_BACKUP_COMPLETE, "FrsRpcBackupComplete", NULL, NULL },
|
|
|
|
{ FRSRPC_BACKUP_COMPLETE_5, "FrsRpcBackupComplete", NULL, NULL },
|
|
|
|
{ FRSRPC_BACKUP_COMPLETE_6, "FrsRpcBackupComplete", NULL, NULL },
|
|
|
|
{ FRSRPC_BACKUP_COMPLETE_7, "FrsRpcBackupComplete", NULL, NULL },
|
|
|
|
{ FRSRPC_BACKUP_COMPLETE_8, "FrsRpcBackupComplete", NULL, NULL },
|
|
|
|
{ FRSRPC_BACKUP_COMPLETE_9, "FrsRpcBackupComplete", NULL, NULL },
|
|
|
|
{ FRSRPC_VERIFY_PROMOTION_PARENT_EX, "FrsRpcVerifyPromotionParentEx",
|
|
|
|
NULL, NULL },
|
|
|
|
{ 0, NULL, NULL, NULL }
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
proto_register_dcerpc_frsrpc(void)
|
|
|
|
{
|
|
|
|
|
|
|
|
static hf_register_info hf[] = {
|
|
|
|
|
|
|
|
{ &hf_frsrpc_opnum,
|
|
|
|
{ "Operation", "frsrpc.opnum", FT_UINT16, BASE_DEC,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
{ &hf_frsrpc_unknown32,
|
|
|
|
{ "unknown32", "frsrpc.unknown32", FT_UINT32, BASE_HEX,
|
|
|
|
NULL, 0x0, "unknown int32", HFILL }},
|
|
|
|
|
|
|
|
{ &hf_frsrpc_tlvsize,
|
|
|
|
{ "TLV Size", "frsrpc.tlv_size", FT_UINT32, BASE_DEC,
|
|
|
|
NULL, 0x0, "Size of tlv blob in bytes", HFILL }},
|
|
|
|
|
|
|
|
{ &hf_frsrpc_tlv,
|
|
|
|
{ "TLV", "frsrpc.tlv", FT_NONE, BASE_NONE,
|
|
|
|
NULL, 0x0, "A tlv blob", HFILL }},
|
|
|
|
|
|
|
|
{ &hf_frsrpc_tlv_item,
|
|
|
|
{ "TLV", "frsrpc.tlv_item", FT_NONE, BASE_NONE,
|
|
|
|
NULL, 0x0, "A tlv item", HFILL }},
|
|
|
|
|
|
|
|
{ &hf_frsrpc_tlv_tag,
|
|
|
|
{ "TLV Tag", "frsrpc.tlv.tag", FT_UINT16, BASE_DEC,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
{ &hf_frsrpc_tlv_size,
|
|
|
|
{ "TLV Size", "frsrpc.tlv.size", FT_UINT32, BASE_DEC,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
{ &hf_frsrpc_tlv_data,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
{ "TLV Data", "frsrpc.tlv.data", FT_BYTES, BASE_NONE,
|
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
{ &hf_frsrpc_unknownbytes,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
{ "unknown", "frsrpc.unknownbytes", FT_BYTES, BASE_NONE,
|
2007-11-01 20:33:35 +00:00
|
|
|
NULL, 0x0, "unknown bytes", HFILL }},
|
|
|
|
|
|
|
|
{ &hf_frsrpc_guid_size,
|
|
|
|
{ "Guid Size", "frsrpc.guid.size", FT_UINT32, BASE_DEC,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
{ &hf_frsrpc_ssrv_guid,
|
|
|
|
{ "SSRV GUID", "frsrpc.ssrv.guid", FT_GUID, BASE_NONE,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
{ &hf_frsrpc_dsrv_guid,
|
|
|
|
{ "DSRV GUID", "frsrpc.dsrv.guid", FT_GUID, BASE_NONE,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
{ &hf_frsrpc_str_size,
|
|
|
|
{ "String Size", "frsrpc.str.size", FT_UINT32, BASE_DEC,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
{ &hf_frsrpc_ssrv,
|
|
|
|
{ "SSRV", "frsrpc.ssrv", FT_STRING, BASE_NONE,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
{ &hf_frsrpc_dsrv,
|
|
|
|
{ "DSRV", "frsrpc.dsrv", FT_STRING, BASE_NONE,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2007-11-01 20:33:35 +00:00
|
|
|
|
|
|
|
{ &hf_frsrpc_timestamp,
|
2009-12-19 03:17:44 +00:00
|
|
|
{ "Timestamp", "frsrpc.timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
|
From Kovarththanan Rajaratnam via bug 3548:
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
2009-06-18 21:30:42 +00:00
|
|
|
NULL, 0x0, NULL, HFILL }},
|
2004-07-10 07:16:55 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
static gint *ett[] = {
|
|
|
|
&ett_dcerpc_frsrpc,
|
2007-11-01 20:33:35 +00:00
|
|
|
&ett_frsrpc_tlv,
|
|
|
|
&ett_frsrpc_tlv_item,
|
2004-07-10 07:16:55 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
proto_dcerpc_frsrpc = proto_register_protocol(
|
|
|
|
"Microsoft File Replication Service", "FRSRPC", "frsrpc");
|
|
|
|
|
|
|
|
proto_register_field_array(proto_dcerpc_frsrpc, hf, array_length(hf));
|
|
|
|
|
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
proto_reg_handoff_dcerpc_frsrpc(void)
|
|
|
|
{
|
|
|
|
/* register protocol as dcerpc */
|
|
|
|
|
|
|
|
dcerpc_init_uuid(
|
|
|
|
proto_dcerpc_frsrpc, ett_dcerpc_frsrpc, &uuid_dcerpc_frsrpc,
|
|
|
|
ver_dcerpc_frsrpc, dcerpc_frsrpc_dissectors, hf_frsrpc_opnum);
|
|
|
|
}
|