Don't use a global variable named "gmtime" - some versions of
NetBSD define it in <time.h> - use "_gmtime" instead, so we can
build on those NetBSD systems.
svn path=/trunk/; revision=1375
responses and adds some more stuff.
I will have to decode NTcreateAndX requests and responses soon as well
as the MSRPC stuff ...
svn path=/trunk/; revision=1356
Now should be decoding the names of lots more LanMan API request. These
were culled from Samba. Would be good to go through and give names to the
fields as well.
Will soon decode the response structures returned and then will look at
ways to specify that built-in routines should be called to decode an element.
I also need some captures with UNICODE in them. Anyone got any? Someone
sent in a patch for UNICODE handling, but I did not realize what it was and
now the code has diverged so far it is hard to apply the patch ...
Send captures to rsharpe@ns.aus.com./
svn path=/trunk/; revision=1334
from Guy, plus a few more of my own.
Also added in basic response decoding where we don't know what it is ...
Got more to do, as well as decoding returned data ... Thinking about that
now, and will have a data-drived approach.
I need some way to specify that an internal routine be called for some types
of data where we know what type it is, in the case of Server Types for
example ...
svn path=/trunk/; revision=1294
Fixed up some bugs to do with NetShareEnum. There is still a persistent bug
left that looks like an alignment problem. Damn documentation does not talk
about the need to align the response structures for a NetServerEnum2 on SHORT
boundaries, but it sure looks like they should be so.
svn path=/trunk/; revision=1235
UNICODE strings in transact SMBs.
Added decode of NetShareEnum transact request. Will have to clean that all
up and use the decode engine when I get it done.
Still more fix ups to be done, but the book is calling, and I have to write
some stuff after an interview with LinuxCare.
svn path=/trunk/; revision=1113
I still have compile warnings, but I am too tired to chase them down.
Have also fixed a number of problems.
Next thing to add is a general engine that can decode Transact messages
as they can be decode from the descriptors in the Parameters area, and I
can feed in a list of names where we know what a structure looks like,
otherwise we use made up names.
svn path=/trunk/; revision=1079
(remove commas following the last member of an enum, make all bit fields
"guint32" - GCC lets you get away with that, but at least some other
compilers don't).
svn path=/trunk/; revision=1052
routines, which are called before a dissection pass is made over all the
packets in a capture - the "init" routine would clear out any state
information that needs to be initialized before such a dissection pass.
Make the NCP, SMB, AFS, and ONC RPC dissectors register their "init"
routines with that mechanism, have the code that reads in a capture file
call the routine that calls all registered "init" routines rather than
calling a wired-in set of "init" routines, and also have the code that
runs a filtering or colorizing pass over all the packets call that
routine, as a filtering or colorizing pass is a dissection pass.
Have the ONC RPC "init" routine zero out the table of RPC calls, so that
it completely erases any state from the previous dissection pass (so
that, for example, if you run a filtering pass, it doesn't mark any
non-duplicate packets as duplicates because it remembers them from the
previous pass).
svn path=/trunk/; revision=1050
dynamically-assigned "ett_" integer values, assigned by
"proto_register_subtree_array()"; this:
obviates the need to update "packet.h" whenever you add a new
subtree type - you only have to add a call to
"proto_register_subtree_array()" to a "register" routine and an
array of pointers to "ett_", if they're not already there, and
add a pointer to the new "ett_" variable to the array, if they
are there;
would allow run-time-loaded dissectors to allocate subtree types
when they're loaded.
svn path=/trunk/; revision=1043
There was a core dump because of a coding oversight. Should be fixed
now Gilbert.
Should now handle names of form \<somepipe>
Will screw up if there is no leading slash, but in a non-fatal way, I
think.
svn path=/trunk/; revision=1041
much more complete decoding of browse messages.
They are now shown in the parent tree as well.
I still have problems with:
1. Times
2. Election criteral
I also haven't been able to see a BecomeBackup request, nor a
GetBackupListResp with more than one browser ... Should run a Windows NT
server or another Samba on my network.
I am also not sure of there are any more message types. Damn! Old, and
wrong MS documents!
svn path=/trunk/; revision=1025
MS Windows Browser messages. Can decode host announcements now.
Still need to decode more. Also need to break the new code out.
I also have the Browse tree at the wrong location. Can I get at the
parent of the tree somewhere, or do I have to pass it in as a variable?
svn path=/trunk/; revision=1024
Replace "add_to_conversation()" with:
"conversation_new()", which creates a new conversation, given
source and destination addresses and ports, and returns a
pointer to the structure for the conversation;
"find_conversation()", which tries to find a conversation for
given source and destination addresses and ports, and returns a
pointer to the structure for the conversation if found, and a
null pointer if not found.
Add a private data pointer field to the conversation structure, and have
"conversation_new()" take an argument that specifies what to set that
pointer to; that lets clients of the conversation code hang arbitrary
data off the conversation (e.g., a hash table of protocol requests and
replies, in case the protocol is a request/reply protocol wherein the
reply doesn't say what type of request it's a reply to, and you need
that information to dissect the reply).
svn path=/trunk/; revision=920
structure to "dl_src"/"dl_dst", "net_src"/"net_dst", and "src"/"dst"
addresses, where an address is an address type, an address length in
bytes, and a pointer to that many bytes.
"dl_{src,dst}" are the link-layer source/destination; "net_{src,dst}"
are the network-layer source/destination; "{src,dst}" are the
source/destination from the highest of those two layers that we have in
the packet.
Add a port type to "packet_info" as well, specifying whether it's a TCP
or UDP port.
Don't set the address and port columns in the dissector functions; just
set the address and port members of the "packet_info" structure. Set
the columns in "fill_in_columns()"; this means that if we're showing
COL_{DEF,RES,UNRES}_SRC" or "COL_{DEF,RES,UNRES}_DST", we only generate
the string from "src" or "dst", we don't generate a string for the
link-layer address and then overwrite it with a string for the
network-layer address (generating those strings costs CPU).
Add support for "conversations", where a "conversation" is (at present)
a source and destination address and a source and destination port. (In
the future, we may support "conversations" above the transport layer,
e.g. a TFTP conversation, where the first packet goes from the client to
the TFTP server port, but the reply comes back from a different port,
and all subsequent packets go between the client address/port and the
server address/new port, or an NFS conversation, which might include
lock manager, status monitor, and mount packets, as well as NFS
packets.)
Currently, all we support is a call that takes the source and
destination address/port pairs, looks them up in a hash table, and:
if nothing is found, creates a new entry in the hash table, and
assigns it a unique 32-bit conversation ID, and returns that
conversation ID;
if an entry is found, returns its conversation ID.
Use that in the SMB and AFS code to keep track of individual SMB or AFS
conversations. We need to match up requests and replies, as, for
certain replies, the operation code for the request to which it's a
reply doesn't show up in the reply - you have to find the request with a
matching transaction ID. Transaction IDs are per-conversation, so the
hash table for requests should include a conversation ID and transaction
ID as the key.
This allows SMB and AFS decoders to handle IPv4 or IPv6 addresses
transparently (and should allow the SMB decoder to handle NetBIOS atop
other protocols as well, if the source and destination address and port
values in the "packet_info" structure are set appropriately).
In the "Follow TCP Connection" code, check to make sure that the
addresses are IPv4 addressses; ultimately, that code should be changed
to use the conversation code instead, which will let it handle IPv6
transparently.
svn path=/trunk/; revision=909
Is this file generated code ?
If not, please :
- get rid of compilation warnings
- put the # of preprocessor macros at the first column
svn path=/trunk/; revision=863
Added decoder for transact SMBs.
Changed things a lot for state keeping.
Next thing is to decode transacts and transact2s more.
svn path=/trunk/; revision=860
Also added first pass of state keeping. I am using glib's hash
functions.
Modelled after packet-ncp.c.
We will need to standardize the <proto>_init_protocol functions called in
file.c at some stage ...
I will have a couple of more goes at the state keeping before I am finished.
At the moment, the infrastructure is there but I do nothing with it.
svn path=/trunk/; revision=798
as an argument. ("time_t" could be 64 bits - I think it is 64 bits on
some platforms, e.g. Alpha Linux - and it's typically signed rather
than unsigned.)
svn path=/trunk/; revision=760
1. Fix some silly errors.
2. Dont decode beyond Word Count if errcode > 0
3. Decode a bunch mode SMBs
Next is to keep state so we can do a better job ...
svn path=/trunk/; revision=758
specified number of bytes of captured data in the frame at the specified
offset, and a "IS_DATA_IN_FRAME()" macro, to test whether there are any
bytes of captured data in the frame at the specified offset, and convert
some bounds checks to use them.
Add a dissector for the Internet Printing Protocol.
svn path=/trunk/; revision=685
use END_OF_FRAME), so that they don't look at stuff in an IP datagram
past the end of the IP datagram (i.e., frame padding).
svn path=/trunk/; revision=584
bunch of source files.
Replace the "payload" field of a "packet_info" structure with "len" and
"captured_len" fields, which contain the total packet length and total
captured packet length (including all headers) at the current protocol
layer (i.e., if a given layer has a length field, and that length field
says its shorter than the length we got from the capture, reduce the
"pi.len" and "pi.captured_len" values appropriately). Those fields can
be used in the future if we add checks to make sure a field we're
extracting from a packet doesn't go past the end of the packet, or past
the captured part of the packet.
Get rid of the additional payload argument to some dissection functions;
use "pi.captured_len - offset" instead.
Have the END_OF_FRAME macro use "pi.captured_len" rather than
"fd->cap_len", so that "dissect the rest of the frame" becomes "dissect
the rest of the packet", and doesn't dissect end-of-frame padding such
as padding added to make an Ethernet frame 60 or more octets long. (We
might want to rename it END_OF_PACKET; if we ever want to label the
end-of-frame padding for the benefit of people curious what that extra
gunk is, we could have a separate END_OF_FRAME macro that uses
"fd->cap_len".)
svn path=/trunk/; revision=506
but does not link. Perhaps someone who understands the MS tools can help
out. I made it link a few months ago, but with different version of glib/gtk+.
I can't remember how I made it link.
Most of the compatibility issues were resolved with adding
#ifdef HAVE_UNISTD_H the the source code. Please be sure to add this to all
future code.
svn path=/trunk/; revision=359
problems with single bit fields when declared as an enumerated field.
It shows an unknown ... Damn ... Can't see what the problem is.
svn path=/trunk/; revision=353
mechanism that is built into ethereal. Wiretap is now used to read all
file formats. Libpcap is used only for capturing.
svn path=/trunk/; revision=342
"fd->cap_len - offset", i.e. END_OF_FRAME, is unsigned, so
while (END_OF_FRAME > 0) {
doesn't keep you out of the loop if "offset" is already beyond
"fd->cap_len", so you can try processing stuff past the end of the
captured data in the packet.
svn path=/trunk/; revision=298
Guy Harris