https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4422
From me: Fix a number of instances where the function prototype or
the function definition wasn't changed so there was a mismatch
thus causing Windows (but not gcc) compilation errors.
svn path=/trunk/; revision=32365
unaligned unmarshalling of dissectors generated by PIDL.
This will allow us to use PIDL and additional IDLs from the samba
project since they use "noalign" for certain protocols.
This may also allow us to use PIDL to describe, and machinegenerate
dissectors for normal, non-DCERPC, protocols.
This patch for PIDL is still under review, but the PIDL patch is l;ikely
to be committed soonish.
svn path=/trunk/; revision=31583
ABSOLUTE_TIME_LOCAL or ABSOLUTE_TIME_UTC, indicating whether to display
the date/time in local time or UTC. (int)ABSOLUTE_TIME_LOCAL ==
(int)BASE_NONE, so there's no source or binary compatiblity issue,
although we might want to eliminate BASE_NONE at some point and have the
BASE_ values used with integral types start at 0, so that you can't
specify BASE_NONE for an integral field.
svn path=/trunk/; revision=31319
is ndr64 or not, from the bind information to the data we store for each
individual pdu, since the trnasport syntax may change dynamically back
and forth between "normal" and "ndr64" on the same conversation.
svn path=/trunk/; revision=30226
standard ndr transfer syntax from the epm dissector to packet-dcerpc.c
Add a new transfer syntax : ndr64. This is a new syntax with different
scalar sizes and different alignment rules compared to normal ndr.
It is negotiated and used between w2k8 and samba4 boxens and one may
assume, future versions of windows as well.
We need to associate the transfer syntax with the bind information since
the transfer syntax will change the packet encoding rules for the
protocol.
For example, SAMR, as well as all other interfaces support both syntaxes
and are thus encoded differently, wiht different alignments depending on
which transfer was negotioated during the bind.
This will require additional changes to the dcerpc helpers and also to
pidl.
svn path=/trunk/; revision=30209
(1) Trailing/leading spaces are removed from 'name's/'blurb's
(2) Duplicate 'blurb's are replaced with NULL
(3) Empty ("") 'blurb's are replaced with NULL
(4) BASE_NONE, NULL, 0x0 are used for 'display', 'strings' and 'bitmask' fields
for FT_NONE, FT_BYTES, FT_IPv4, FT_IPv6, FT_ABSOLUTE_TIME, FT_RELATIVE_TIME,
FT_PROTOCOL, FT_STRING and FT_STRINGZ field types
(5) Only allow non-zero value for 'display' if 'bitmask' is non-zero
svn path=/trunk/; revision=28770
add dissection of the 16 byte header prior to the NDR data when NDR is
transported as a blob ontop of !dcerpc
like the LOGON_INFO in the PAC in kerberos
svn path=/trunk/; revision=24289
When offset parameter is 0 replace tvb_bytes_exist() with the faster tvb_length().
On the other hand
if (tvb_bytes_exist(tvb, 0, 20)
is more readable than
if (tvb_length(tvb) >= 20
so only do it in heuristic function
svn path=/trunk/; revision=23412
- if offset is 0, tvb_length is the same as tvb_length_remaining, just faster.
Replace
- col_append_fstr() with faster col_append_str()
- col_add_str() with col_set_str()
when it's safe
svn path=/trunk/; revision=23252
rename dcerpc_smb_fetch_pol to dcerpc_fetch_polhnd_data and also make
it take an additional parameter to return the "type" of the policy
handle, if such a type was stored.
extend the pol_value structure used to track policy handles to also
store a type to represent what created the policy handle
types could be USER/ALIAS/CONNECT/... etc handles returned from the
SAMR interface
add a new helper function dcerpc_store_polhnd_type()
track policy handles between request/responses for dcerpc
update the samr.cnf file to make the samr dissectors for
SetSecurity/QuerySecurity dissect the specific bits for the security
descriptor correctly based on whether the policy handle refers to a
CONNECT/DOMAIN/USER/ALIAS or GROUP
svn path=/trunk/; revision=22703
- s/ntohl/g_ntohl
- s/free/g_free
- Change some tvb_get_string()+g_free()'s into tvb_get_ephemeral_string()
- Change some tvb_fake_unicode()+g_free()'s into tvb_get_ephemeral_faked_unicode()
- Change some tvb_get_string() calls that were clearly memory leaks (like
atoi(tvb_get_string(...))) into tvb_get_ephemeral_string()
svn path=/trunk/; revision=22515
I have a little additional patch, that makes it easier to see what which bytes
are not caught by the sub_dissector.
And it makes it easy to select and export the full payload to a file.
svn path=/trunk/; revision=19987
reported by Benjamin Meyer
WireShark marks DCE RPC FACKs as "malformed" if they do not have a body.
According to DCE RPC Spec. 1.1 FACKs "may contain" a body PTU.
I am unable to build WireShark (lack of time to install all neccessary stuff)
but I looked at the SourceCode. I think, at least this has to be fixed:
file: epan/dissectors/packet-dcerpc.c
function: static gboolean dissect_dcerpc_dg (tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree)
*snip*
case PDU_FACK
dissect_dcerpc_dg_fack (tvb, offset, pinfo, dcerpc_tree, &hdr);
break;
*snap*
I guess, it should look like "case PDU_NOCALL:" directly above.
svn path=/trunk/; revision=19952
I have figured out one of the fields in the MAPI
EcRRegisterPushNotification packet. The field is a UDP port number that
the client wants the Exchange server to send new mail notifications on.
These notifications are on a port > 1023 and are always 8 bytes long.
It looks like I would add the function name to the
dcerpc_mapi_dissectors[] for the register push notification. What would
my new function need to do besides display the field?
Thanks,
Steve
Here is a patch to add this functionality. It displays the notification
port and the notification payload (not sure what the payload itself
means yet). It also dynamically registers each notification port found
with a new dissector (that I called newmail for lack of a better name -
I'm open to suggestions) that displays the notification payload. This
is all undocumented by Microsoft in their usual fashion.
I also changed the code to always display the mapi.opnum field;
currently, the mapi.opnum is only displayed when the
dcerpc_mapi_dissector is null.
Steve
svn path=/trunk/; revision=19350
dont try dcerpc reassembly of fragments if we dont have the entire pdu
only call the heuristical dissectors once from smb/pipe as per guy(?)s comments about idempotence.
when doing reassembly, the dcerpc dissector is indeed not idempotent any more.
svn path=/trunk/; revision=19304
the biggest problem in changing this is the dcv->private_data usage.
add a dcv->se_data which can keep data around from a request to a response and use this to change the LSA/OpenPolicy2 servername passing from request to response as a test pattern of moving all users of dcv->private data over to use dcv->se_data.
once all users are migrated over we can then change the dcv->private data pointer to be of ep scope and thus not need an explicit free (which is quite difficult and it is quite difficult in the old semantics to know WHEN we need to free this pointer)
this will eventually make the usage more clean and at the same time close down quite a few memory leaks.
eventually this will make dissect_ndr_nt_SID return a pointer to ep allocated memory that need not be explicitely freed.
svn path=/trunk/; revision=19226