2014-06-21 01:35:40 +00:00
|
|
|
/* packet-ldap-template.c
|
2005-12-09 16:46:24 +00:00
|
|
|
* Routines for ldap packet dissection
|
|
|
|
|
*
|
2014-06-21 01:35:40 +00:00
|
|
|
* See RFC 1777 (LDtAP v2), RFC 4511 (LDAP v3), and RFC 2222 (SASL).
|
2005-12-09 16:46:24 +00:00
|
|
|
*
|
2006-05-21 05:12:17 +00:00
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
2005-12-09 16:46:24 +00:00
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
|
*
|
2018-02-12 11:23:27 +00:00
|
|
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
2005-12-09 16:46:24 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* This is not a complete implementation. It doesn't handle the full version 3, more specifically,
|
|
|
|
|
* it handles only the commands of version 2, but any additional characteristics of the ver3 command are supported.
|
|
|
|
|
* It's also missing extensible search filters.
|
|
|
|
|
*
|
2013-02-26 04:42:26 +00:00
|
|
|
* There should probably be a lot more error checking, I simply assume that if we have a full packet, it will be a complete
|
2005-12-09 16:46:24 +00:00
|
|
|
* and correct packet.
|
|
|
|
|
*
|
|
|
|
|
* AFAIK, it will handle all messages used by the OpenLDAP 1.2.9 server and libraries which was my goal. I do plan to add
|
|
|
|
|
* the remaining commands as time permits but this is not a priority to me. Send me an email if you need it and I'll see what
|
|
|
|
|
* I can do.
|
|
|
|
|
*
|
|
|
|
|
* Doug Nazar
|
|
|
|
|
* nazard@dragoninc.on.ca
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* 11/11/2002 - Fixed problem when decoding LDAP with desegmentation enabled and the
|
|
|
|
|
* ASN.1 BER Universal Class Tag: "Sequence Of" header is encapsulated across 2
|
|
|
|
|
* TCP segments.
|
|
|
|
|
*
|
|
|
|
|
* Ronald W. Henderson
|
|
|
|
|
* ronald.henderson@cognicaseusa.com
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* 20-JAN-2004 - added decoding of MS-CLDAP netlogon RPC
|
|
|
|
|
* using information from the SNIA 2003 conference paper :
|
|
|
|
|
* Active Directory Domain Controller Location Service
|
|
|
|
|
* by Anthony Liguori
|
|
|
|
|
* ronnie sahlberg
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* 17-DEC-2004 - added basic decoding for LDAP Controls
|
|
|
|
|
* 20-DEC-2004 - added handling for GSS-API encrypted blobs
|
|
|
|
|
*
|
|
|
|
|
* Stefan Metzmacher <metze@samba.org>
|
|
|
|
|
*
|
2006-05-23 15:17:14 +00:00
|
|
|
* 15-NOV-2005 - Changed to use the asn2wrs compiler
|
2005-12-09 16:46:24 +00:00
|
|
|
* Anders Broman <anders.broman@ericsson.com>
|
|
|
|
|
*/
|
|
|
|
|
|
2008-08-06 06:53:04 +00:00
|
|
|
/*
|
|
|
|
|
* 3-AUG-2008 - Extended the cldap support to include all netlogon data types.
|
2015-11-27 22:06:01 +00:00
|
|
|
* Updated cldap_netlogon_flags to include Windows 2008 flags
|
|
|
|
|
* Expanded the ntver ldap option with bit field
|
2008-08-06 06:53:04 +00:00
|
|
|
*
|
|
|
|
|
* Gary Reynolds <gazzadownunder@yahoo.co.uk>
|
|
|
|
|
*/
|
|
|
|
|
|
2009-12-12 09:30:49 +00:00
|
|
|
/*
|
|
|
|
|
* 09-DEC-2009 - Added support for RFC4533
|
|
|
|
|
* Content Synchronization Operation (aka syncrepl)
|
|
|
|
|
* 11-DEC-2009 - Added support for IntermediateResponse (LDAP v3 from RFC 4511)
|
|
|
|
|
* Mathieu Parent <math.parent@gmail.com>
|
|
|
|
|
*/
|
|
|
|
|
|
2012-09-20 01:29:52 +00:00
|
|
|
#include "config.h"
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
#include <epan/packet.h>
|
2013-11-10 15:59:37 +00:00
|
|
|
#include <epan/exceptions.h>
|
2005-12-09 16:46:24 +00:00
|
|
|
#include <epan/conversation.h>
|
|
|
|
|
#include <epan/prefs.h>
|
|
|
|
|
#include <epan/tap.h>
|
Further refactor SRT stats.
Create "common" SRT tap data collection intended for all GUIs. Refactor/merge functionality of existing dissectors that have SRT support (AFP, DCERPC, Diameter, FC, GTP, LDAP, NCP, RPC, SCIS, SMB, and SMB2) for both TShark and GTK.
SMB and DCERPC "tap packet filtering" were different between TShark and GTK, so I went with GTK filter logic.
CAMEL "tap packet filtering" was different between TShark and GTK, so GTK filtering logic was pushed to the dissector and the TShark tap was left alone.
Change-Id: I7d6eaad0673fe628ef337f9165d7ed94f4a5e1cc
Reviewed-on: https://code.wireshark.org/review/8894
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-06-16 21:07:04 +00:00
|
|
|
#include <epan/srt_table.h>
|
2007-08-25 01:14:24 +00:00
|
|
|
#include <epan/oids.h>
|
2006-05-01 17:43:29 +00:00
|
|
|
#include <epan/strutil.h>
|
Move show_exception() and show_reported_bounds_error() to
epan/show_exception.c, as it's used outside
epan/dissectors/packet-frame.c. Update their callers to include
<epan/show_exception.h> to get their declaration.
Add a CATCH_NONFATAL_ERRORS macro that catches all exceptions that, if
there's more stuff in the packet to dissect after the dissector call
that threw the exception, doesn't mean you shouldn't go ahead and
dissect that stuff. Use it in all those cases, including ones where
BoundsError was inappropriately being caught (you want those passed up
to the top level, so that the packet is reported as having been cut
short in the capture process).
Add a CATCH_BOUNDS_ERRORS macro that catches all exceptions that
correspond to running past the end of the data for a tvbuff; use it
rather than explicitly catching those exceptions individually, and
rather than just catching all exceptions (the only place that
DissectorError should be caught, for example, is at the top level, so
dissector bugs show up in the protocol tree).
Don't catch and then immediately rethrow exceptions without doing
anything else; just let the exceptions go up to the final catcher.
Use show_exception() to report non-fatal errors, rather than doing it
yourself.
If a dissector is called from Lua, catch all non-fatal errors and use
show_exception() to report them rather than catching only
ReportedBoundsError and adding a proto_malformed item.
Don't catch exceptions when constructing a trailer tvbuff in
packet-ieee8023.c - just construct it after the payload has been
dissected, and let whatever exceptions that throws be handled at the top
level.
Avoid some TRY/CATCH/ENDTRY cases by using checks such as
tvb_bytes_exist() before even looking in the tvbuff.
svn path=/trunk/; revision=47924
2013-02-27 22:43:54 +00:00
|
|
|
#include <epan/show_exception.h>
|
2007-05-01 22:05:11 +00:00
|
|
|
#include <epan/asn1.h>
|
2011-03-01 00:50:17 +00:00
|
|
|
#include <epan/expert.h>
|
2012-03-30 09:08:55 +00:00
|
|
|
#include <epan/uat.h>
|
2015-11-04 08:45:54 +00:00
|
|
|
#include <wsutil/str_util.h>
|
2014-12-23 05:32:58 +00:00
|
|
|
#include "packet-frame.h"
|
|
|
|
|
#include "packet-tcp.h"
|
|
|
|
|
#include "packet-windows-common.h"
|
|
|
|
|
#include "packet-dcerpc.h"
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
#include "packet-ldap.h"
|
2006-10-11 08:18:14 +00:00
|
|
|
#include "packet-ntlmssp.h"
|
2018-09-14 15:30:31 +00:00
|
|
|
#include "packet-tls.h"
|
|
|
|
|
#include "packet-tls-utils.h"
|
2008-08-06 06:53:04 +00:00
|
|
|
#include "packet-smb-common.h"
|
2015-11-02 21:47:26 +00:00
|
|
|
#include "packet-gssapi.h"
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
#include "packet-ber.h"
|
|
|
|
|
#include "packet-per.h"
|
2011-02-23 00:51:02 +00:00
|
|
|
#include "packet-dns.h"
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2009-06-30 08:28:21 +00:00
|
|
|
#define PNAME "Lightweight Directory Access Protocol"
|
2005-12-09 16:46:24 +00:00
|
|
|
#define PSNAME "LDAP"
|
|
|
|
|
#define PFNAME "ldap"
|
|
|
|
|
|
2013-12-08 22:02:12 +00:00
|
|
|
void proto_register_ldap(void);
|
|
|
|
|
void proto_reg_handoff_ldap(void);
|
|
|
|
|
|
2005-12-09 16:46:24 +00:00
|
|
|
/* Initialize the protocol and registered fields */
|
|
|
|
|
static int ldap_tap = -1;
|
|
|
|
|
static int proto_ldap = -1;
|
|
|
|
|
static int proto_cldap = -1;
|
|
|
|
|
|
2006-05-08 17:52:42 +00:00
|
|
|
static int hf_ldap_sasl_buffer_length = -1;
|
|
|
|
|
static int hf_ldap_response_in = -1;
|
|
|
|
|
static int hf_ldap_response_to = -1;
|
|
|
|
|
static int hf_ldap_time = -1;
|
2006-07-12 09:02:00 +00:00
|
|
|
static int hf_ldap_guid = -1;
|
2006-05-08 17:52:42 +00:00
|
|
|
|
2008-08-06 06:53:04 +00:00
|
|
|
static int hf_mscldap_ntver_flags = -1;
|
|
|
|
|
static int hf_mscldap_ntver_flags_v1 = -1;
|
|
|
|
|
static int hf_mscldap_ntver_flags_v5 = -1;
|
|
|
|
|
static int hf_mscldap_ntver_flags_v5ex = -1;
|
2011-01-06 18:08:14 +00:00
|
|
|
static int hf_mscldap_ntver_flags_v5ep = -1;
|
|
|
|
|
static int hf_mscldap_ntver_flags_vcs = -1;
|
|
|
|
|
static int hf_mscldap_ntver_flags_vnt4 = -1;
|
|
|
|
|
static int hf_mscldap_ntver_flags_vpdc = -1;
|
|
|
|
|
static int hf_mscldap_ntver_flags_vip = -1;
|
|
|
|
|
static int hf_mscldap_ntver_flags_vl = -1;
|
|
|
|
|
static int hf_mscldap_ntver_flags_vgc = -1;
|
|
|
|
|
|
2008-08-06 06:53:04 +00:00
|
|
|
static int hf_mscldap_netlogon_ipaddress_family = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_ipaddress_port = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_ipaddress = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_ipaddress_ipv4 = -1;
|
2011-01-06 22:24:10 +00:00
|
|
|
static int hf_mscldap_netlogon_opcode = -1;
|
2006-05-02 05:35:55 +00:00
|
|
|
static int hf_mscldap_netlogon_flags = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_pdc = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_gc = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_ldap = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_ds = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_kdc = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_timeserv = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_closest = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_writable = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_good_timeserv = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_ndnc = -1;
|
2008-08-06 06:53:04 +00:00
|
|
|
static int hf_mscldap_netlogon_flags_fnc = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_dnc = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_dns = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_wdc = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_flags_rodc = -1;
|
2006-05-02 05:35:55 +00:00
|
|
|
static int hf_mscldap_domain_guid = -1;
|
|
|
|
|
static int hf_mscldap_forest = -1;
|
|
|
|
|
static int hf_mscldap_domain = -1;
|
|
|
|
|
static int hf_mscldap_hostname = -1;
|
|
|
|
|
static int hf_mscldap_nb_domain = -1;
|
|
|
|
|
static int hf_mscldap_nb_hostname = -1;
|
|
|
|
|
static int hf_mscldap_username = -1;
|
|
|
|
|
static int hf_mscldap_sitename = -1;
|
|
|
|
|
static int hf_mscldap_clientsitename = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_lm_token = -1;
|
|
|
|
|
static int hf_mscldap_netlogon_nt_token = -1;
|
2006-08-07 10:19:37 +00:00
|
|
|
static int hf_ldap_sid = -1;
|
2006-08-11 07:59:58 +00:00
|
|
|
static int hf_ldap_AccessMask_ADS_CREATE_CHILD = -1;
|
|
|
|
|
static int hf_ldap_AccessMask_ADS_DELETE_CHILD = -1;
|
|
|
|
|
static int hf_ldap_AccessMask_ADS_LIST = -1;
|
|
|
|
|
static int hf_ldap_AccessMask_ADS_SELF_WRITE = -1;
|
|
|
|
|
static int hf_ldap_AccessMask_ADS_READ_PROP = -1;
|
|
|
|
|
static int hf_ldap_AccessMask_ADS_WRITE_PROP = -1;
|
|
|
|
|
static int hf_ldap_AccessMask_ADS_DELETE_TREE = -1;
|
|
|
|
|
static int hf_ldap_AccessMask_ADS_LIST_OBJECT = -1;
|
|
|
|
|
static int hf_ldap_AccessMask_ADS_CONTROL_ACCESS = -1;
|
2013-11-08 02:02:43 +00:00
|
|
|
static int hf_ldap_LDAPMessage_PDU = -1;
|
2014-08-08 13:19:29 +00:00
|
|
|
static int hf_ldap_object_security_flag = -1;
|
|
|
|
|
static int hf_ldap_ancestor_first_flag = -1;
|
|
|
|
|
static int hf_ldap_public_data_only_flag = -1;
|
|
|
|
|
static int hf_ldap_incremental_value_flag = -1;
|
|
|
|
|
static int hf_ldap_oid = -1;
|
|
|
|
|
static int hf_ldap_gssapi_encrypted_payload = -1;
|
2006-05-02 05:35:55 +00:00
|
|
|
|
2005-12-09 16:46:24 +00:00
|
|
|
#include "packet-ldap-hf.c"
|
|
|
|
|
|
|
|
|
|
/* Initialize the subtree pointers */
|
|
|
|
|
static gint ett_ldap = -1;
|
|
|
|
|
static gint ett_ldap_msg = -1;
|
|
|
|
|
static gint ett_ldap_sasl_blob = -1;
|
2011-02-10 20:55:26 +00:00
|
|
|
static gint ett_ldap_payload = -1;
|
2006-05-02 05:35:55 +00:00
|
|
|
static gint ett_mscldap_netlogon_flags = -1;
|
2008-08-06 06:53:04 +00:00
|
|
|
static gint ett_mscldap_ntver_flags = -1;
|
|
|
|
|
static gint ett_mscldap_ipdetails = -1;
|
2014-01-04 12:03:02 +00:00
|
|
|
static gint ett_ldap_DirSyncFlagsSubEntry = -1;
|
2006-05-02 05:35:55 +00:00
|
|
|
|
2005-12-09 16:46:24 +00:00
|
|
|
#include "packet-ldap-ett.c"
|
|
|
|
|
|
2013-06-03 03:42:36 +00:00
|
|
|
static expert_field ei_ldap_exceeded_filter_length = EI_INIT;
|
|
|
|
|
static expert_field ei_ldap_too_many_filter_elements = EI_INIT;
|
|
|
|
|
|
2006-05-08 17:52:42 +00:00
|
|
|
static dissector_table_t ldap_name_dissector_table=NULL;
|
2006-11-04 09:14:54 +00:00
|
|
|
static const char *object_identifier_id = NULL; /* LDAP OID */
|
2006-05-08 17:52:42 +00:00
|
|
|
|
2006-04-30 07:23:42 +00:00
|
|
|
static gboolean do_protocolop = FALSE;
|
2006-05-08 17:52:42 +00:00
|
|
|
static gchar *attr_type = NULL;
|
|
|
|
|
static gboolean is_binary_attr_type = FALSE;
|
2009-06-30 10:38:00 +00:00
|
|
|
static gboolean ldap_found_in_frame = FALSE;
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2016-10-07 20:25:01 +00:00
|
|
|
#define TCP_PORT_RANGE_LDAP "389,3268" /* 3268 is Windows 2000 Global Catalog */
|
2015-11-27 22:06:01 +00:00
|
|
|
#define TCP_PORT_LDAPS 636
|
|
|
|
|
#define UDP_PORT_CLDAP 389
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2008-01-26 10:12:22 +00:00
|
|
|
/* desegmentation of LDAP */
|
|
|
|
|
static gboolean ldap_desegment = TRUE;
|
|
|
|
|
static guint global_ldaps_tcp_port = TCP_PORT_LDAPS;
|
|
|
|
|
static guint ssl_port = 0;
|
|
|
|
|
|
2008-11-12 23:55:52 +00:00
|
|
|
static dissector_handle_t gssapi_handle;
|
|
|
|
|
static dissector_handle_t gssapi_wrap_handle;
|
|
|
|
|
static dissector_handle_t ntlmssp_handle;
|
|
|
|
|
static dissector_handle_t spnego_handle;
|
2018-09-13 15:40:27 +00:00
|
|
|
static dissector_handle_t tls_handle;
|
2008-11-12 23:55:52 +00:00
|
|
|
static dissector_handle_t ldap_handle ;
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2010-12-06 22:08:48 +00:00
|
|
|
static void prefs_register_ldap(void); /* forward declaration for use in preferences registration */
|
2008-01-26 10:12:22 +00:00
|
|
|
|
|
|
|
|
|
2005-12-09 16:46:24 +00:00
|
|
|
/* different types of rpc calls ontop of ms cldap */
|
2015-11-27 22:06:01 +00:00
|
|
|
#define MSCLDAP_RPC_NETLOGON 1
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2006-02-21 18:56:25 +00:00
|
|
|
/* Message type Choice values */
|
|
|
|
|
static const value_string ldap_ProtocolOp_choice_vals[] = {
|
|
|
|
|
{ 0, "bindRequest" },
|
|
|
|
|
{ 1, "bindResponse" },
|
|
|
|
|
{ 2, "unbindRequest" },
|
|
|
|
|
{ 3, "searchRequest" },
|
|
|
|
|
{ 4, "searchResEntry" },
|
|
|
|
|
{ 5, "searchResDone" },
|
2012-03-30 09:08:55 +00:00
|
|
|
{ 6, "searchResRef" },
|
2006-02-21 18:56:25 +00:00
|
|
|
{ 7, "modifyRequest" },
|
|
|
|
|
{ 8, "modifyResponse" },
|
|
|
|
|
{ 9, "addRequest" },
|
|
|
|
|
{ 10, "addResponse" },
|
|
|
|
|
{ 11, "delRequest" },
|
|
|
|
|
{ 12, "delResponse" },
|
|
|
|
|
{ 13, "modDNRequest" },
|
|
|
|
|
{ 14, "modDNResponse" },
|
|
|
|
|
{ 15, "compareRequest" },
|
|
|
|
|
{ 16, "compareResponse" },
|
|
|
|
|
{ 17, "abandonRequest" },
|
|
|
|
|
{ 18, "extendedReq" },
|
|
|
|
|
{ 19, "extendedResp" },
|
2009-12-12 09:30:49 +00:00
|
|
|
{ 20, "intermediateResponse" },
|
2006-02-21 18:56:25 +00:00
|
|
|
{ 0, NULL }
|
|
|
|
|
};
|
2011-01-06 22:24:10 +00:00
|
|
|
|
2015-04-26 00:28:18 +00:00
|
|
|
/* Procedure names (used in Service Response Time */
|
|
|
|
|
const value_string ldap_procedure_names[] = {
|
|
|
|
|
{ 0, "Bind" },
|
|
|
|
|
{ 3, "Search" },
|
|
|
|
|
{ 6, "Modify" },
|
|
|
|
|
{ 8, "Add" },
|
|
|
|
|
{ 10, "Delete" },
|
|
|
|
|
{ 12, "Modrdn" },
|
|
|
|
|
{ 14, "Compare" },
|
|
|
|
|
{ 23, "Extended" },
|
|
|
|
|
{ 0, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
2011-01-06 22:24:10 +00:00
|
|
|
#define LOGON_PRIMARY_QUERY 7
|
|
|
|
|
#define LOGON_PRIMARY_RESPONSE 12
|
|
|
|
|
#define LOGON_SAM_LOGON_REQUEST 18
|
|
|
|
|
#define LOGON_SAM_LOGON_RESPONSE 19
|
|
|
|
|
#define LOGON_SAM_PAUSE_RESPONSE 20
|
|
|
|
|
#define LOGON_SAM_USER_UNKNOWN 21
|
|
|
|
|
#define LOGON_SAM_LOGON_RESPONSE_EX 23
|
|
|
|
|
#define LOGON_SAM_PAUSE_RESPONSE_EX 24
|
|
|
|
|
#define LOGON_SAM_USER_UNKNOWN_EX 25
|
|
|
|
|
|
|
|
|
|
static const value_string netlogon_opcode_vals[] = {
|
2015-11-27 22:06:01 +00:00
|
|
|
{ LOGON_PRIMARY_QUERY, "LOGON_PRIMARY_QUERY" },
|
|
|
|
|
{ LOGON_PRIMARY_RESPONSE, "LOGON_PRIMARY_RESPONSE" },
|
|
|
|
|
{ LOGON_SAM_LOGON_REQUEST, "LOGON_SAM_LOGON_REQUEST" },
|
|
|
|
|
{ LOGON_SAM_LOGON_RESPONSE, "LOGON_SAM_LOGON_RESPONSE" },
|
|
|
|
|
{ LOGON_SAM_PAUSE_RESPONSE, "LOGON_SAM_PAUSE_RESPONSE" },
|
|
|
|
|
{ LOGON_SAM_LOGON_RESPONSE_EX, "LOGON_SAM_LOGON_RESPONSE_EX" },
|
|
|
|
|
{ LOGON_SAM_PAUSE_RESPONSE_EX, "LOGON_SAM_PAUSE_RESPONSE_EX" },
|
|
|
|
|
{ LOGON_SAM_USER_UNKNOWN_EX, "LOGON_SAM_USER_UNKNOWN_EX" },
|
|
|
|
|
{ 0, NULL }
|
2011-01-06 22:24:10 +00:00
|
|
|
};
|
|
|
|
|
|
Further refactor SRT stats.
Create "common" SRT tap data collection intended for all GUIs. Refactor/merge functionality of existing dissectors that have SRT support (AFP, DCERPC, Diameter, FC, GTP, LDAP, NCP, RPC, SCIS, SMB, and SMB2) for both TShark and GTK.
SMB and DCERPC "tap packet filtering" were different between TShark and GTK, so I went with GTK filter logic.
CAMEL "tap packet filtering" was different between TShark and GTK, so GTK filtering logic was pushed to the dissector and the TShark tap was left alone.
Change-Id: I7d6eaad0673fe628ef337f9165d7ed94f4a5e1cc
Reviewed-on: https://code.wireshark.org/review/8894
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-06-16 21:07:04 +00:00
|
|
|
#define LDAP_NUM_PROCEDURES 24
|
|
|
|
|
|
|
|
|
|
static void
|
2018-05-13 19:45:16 +00:00
|
|
|
ldapstat_init(struct register_srt* srt _U_, GArray* srt_array)
|
Further refactor SRT stats.
Create "common" SRT tap data collection intended for all GUIs. Refactor/merge functionality of existing dissectors that have SRT support (AFP, DCERPC, Diameter, FC, GTP, LDAP, NCP, RPC, SCIS, SMB, and SMB2) for both TShark and GTK.
SMB and DCERPC "tap packet filtering" were different between TShark and GTK, so I went with GTK filter logic.
CAMEL "tap packet filtering" was different between TShark and GTK, so GTK filtering logic was pushed to the dissector and the TShark tap was left alone.
Change-Id: I7d6eaad0673fe628ef337f9165d7ed94f4a5e1cc
Reviewed-on: https://code.wireshark.org/review/8894
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-06-16 21:07:04 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
srt_stat_table *ldap_srt_table;
|
|
|
|
|
guint32 i;
|
|
|
|
|
|
2018-05-13 19:45:16 +00:00
|
|
|
ldap_srt_table = init_srt_table("LDAP Commands", NULL, srt_array, LDAP_NUM_PROCEDURES, NULL, "ldap.protocolOp", NULL);
|
2015-11-27 22:06:01 +00:00
|
|
|
for (i = 0; i < LDAP_NUM_PROCEDURES; i++)
|
|
|
|
|
{
|
|
|
|
|
init_srt_table_row(ldap_srt_table, i, val_to_str_const(i, ldap_procedure_names, "<unknown>"));
|
|
|
|
|
}
|
Further refactor SRT stats.
Create "common" SRT tap data collection intended for all GUIs. Refactor/merge functionality of existing dissectors that have SRT support (AFP, DCERPC, Diameter, FC, GTP, LDAP, NCP, RPC, SCIS, SMB, and SMB2) for both TShark and GTK.
SMB and DCERPC "tap packet filtering" were different between TShark and GTK, so I went with GTK filter logic.
CAMEL "tap packet filtering" was different between TShark and GTK, so GTK filtering logic was pushed to the dissector and the TShark tap was left alone.
Change-Id: I7d6eaad0673fe628ef337f9165d7ed94f4a5e1cc
Reviewed-on: https://code.wireshark.org/review/8894
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-06-16 21:07:04 +00:00
|
|
|
}
|
|
|
|
|
|
2019-01-01 03:36:12 +00:00
|
|
|
static tap_packet_status
|
Further refactor SRT stats.
Create "common" SRT tap data collection intended for all GUIs. Refactor/merge functionality of existing dissectors that have SRT support (AFP, DCERPC, Diameter, FC, GTP, LDAP, NCP, RPC, SCIS, SMB, and SMB2) for both TShark and GTK.
SMB and DCERPC "tap packet filtering" were different between TShark and GTK, so I went with GTK filter logic.
CAMEL "tap packet filtering" was different between TShark and GTK, so GTK filtering logic was pushed to the dissector and the TShark tap was left alone.
Change-Id: I7d6eaad0673fe628ef337f9165d7ed94f4a5e1cc
Reviewed-on: https://code.wireshark.org/review/8894
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-06-16 21:07:04 +00:00
|
|
|
ldapstat_packet(void *pldap, packet_info *pinfo, epan_dissect_t *edt _U_, const void *psi)
|
|
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
guint i = 0;
|
|
|
|
|
srt_stat_table *ldap_srt_table;
|
|
|
|
|
const ldap_call_response_t *ldap=(const ldap_call_response_t *)psi;
|
|
|
|
|
srt_data_t *data = (srt_data_t *)pldap;
|
|
|
|
|
|
|
|
|
|
/* we are only interested in reply packets */
|
|
|
|
|
if(ldap->is_request){
|
2019-01-01 03:36:12 +00:00
|
|
|
return TAP_PACKET_DONT_REDRAW;
|
2015-11-27 22:06:01 +00:00
|
|
|
}
|
|
|
|
|
/* if we havnt seen the request, just ignore it */
|
|
|
|
|
if(!ldap->req_frame){
|
2019-01-01 03:36:12 +00:00
|
|
|
return TAP_PACKET_DONT_REDRAW;
|
2015-11-27 22:06:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* only use the commands we know how to handle */
|
|
|
|
|
switch(ldap->protocolOpTag){
|
|
|
|
|
case LDAP_REQ_BIND:
|
|
|
|
|
case LDAP_REQ_SEARCH:
|
|
|
|
|
case LDAP_REQ_MODIFY:
|
|
|
|
|
case LDAP_REQ_ADD:
|
|
|
|
|
case LDAP_REQ_DELETE:
|
|
|
|
|
case LDAP_REQ_MODRDN:
|
|
|
|
|
case LDAP_REQ_COMPARE:
|
|
|
|
|
case LDAP_REQ_EXTENDED:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2019-01-01 03:36:12 +00:00
|
|
|
return TAP_PACKET_DONT_REDRAW;
|
2015-11-27 22:06:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ldap_srt_table = g_array_index(data->srt_array, srt_stat_table*, i);
|
|
|
|
|
|
|
|
|
|
add_srt_table_data(ldap_srt_table, ldap->protocolOpTag, &ldap->req_time, pinfo);
|
2019-01-01 03:36:12 +00:00
|
|
|
return TAP_PACKET_REDRAW;
|
Further refactor SRT stats.
Create "common" SRT tap data collection intended for all GUIs. Refactor/merge functionality of existing dissectors that have SRT support (AFP, DCERPC, Diameter, FC, GTP, LDAP, NCP, RPC, SCIS, SMB, and SMB2) for both TShark and GTK.
SMB and DCERPC "tap packet filtering" were different between TShark and GTK, so I went with GTK filter logic.
CAMEL "tap packet filtering" was different between TShark and GTK, so GTK filtering logic was pushed to the dissector and the TShark tap was left alone.
Change-Id: I7d6eaad0673fe628ef337f9165d7ed94f4a5e1cc
Reviewed-on: https://code.wireshark.org/review/8894
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-06-16 21:07:04 +00:00
|
|
|
}
|
|
|
|
|
|
2005-12-09 16:46:24 +00:00
|
|
|
/*
|
|
|
|
|
* Data structure attached to a conversation, giving authentication
|
|
|
|
|
* information from a bind request.
|
|
|
|
|
*/
|
|
|
|
|
typedef struct ldap_conv_info_t {
|
2015-11-27 22:06:01 +00:00
|
|
|
guint auth_type; /* authentication type */
|
|
|
|
|
char *auth_mech; /* authentication mechanism */
|
|
|
|
|
guint32 first_auth_frame; /* first frame that would use a security layer */
|
2016-07-20 02:49:32 +00:00
|
|
|
wmem_map_t *unmatched;
|
|
|
|
|
wmem_map_t *matched;
|
2005-12-09 16:46:24 +00:00
|
|
|
gboolean is_mscldap;
|
2006-04-30 07:23:42 +00:00
|
|
|
guint32 num_results;
|
2008-01-13 14:12:47 +00:00
|
|
|
gboolean start_tls_pending;
|
|
|
|
|
guint32 start_tls_frame;
|
2005-12-09 16:46:24 +00:00
|
|
|
} ldap_conv_info_t;
|
|
|
|
|
|
|
|
|
|
static guint
|
|
|
|
|
ldap_info_hash_matched(gconstpointer k)
|
|
|
|
|
{
|
2011-11-20 08:59:19 +00:00
|
|
|
const ldap_call_response_t *key = (const ldap_call_response_t *)k;
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
return key->messageId;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static gint
|
|
|
|
|
ldap_info_equal_matched(gconstpointer k1, gconstpointer k2)
|
|
|
|
|
{
|
2011-11-20 08:59:19 +00:00
|
|
|
const ldap_call_response_t *key1 = (const ldap_call_response_t*)k1;
|
|
|
|
|
const ldap_call_response_t *key2 = (const ldap_call_response_t*)k2;
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
if( key1->req_frame && key2->req_frame && (key1->req_frame!=key2->req_frame) ){
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2006-04-30 07:23:42 +00:00
|
|
|
/* a response may span multiple frames
|
2005-12-09 16:46:24 +00:00
|
|
|
if( key1->rep_frame && key2->rep_frame && (key1->rep_frame!=key2->rep_frame) ){
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2006-04-30 07:23:42 +00:00
|
|
|
*/
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
return key1->messageId==key2->messageId;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static guint
|
|
|
|
|
ldap_info_hash_unmatched(gconstpointer k)
|
|
|
|
|
{
|
2011-11-20 08:59:19 +00:00
|
|
|
const ldap_call_response_t *key = (const ldap_call_response_t*)k;
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
return key->messageId;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static gint
|
|
|
|
|
ldap_info_equal_unmatched(gconstpointer k1, gconstpointer k2)
|
|
|
|
|
{
|
2011-11-20 08:59:19 +00:00
|
|
|
const ldap_call_response_t *key1 = (const ldap_call_response_t*)k1;
|
|
|
|
|
const ldap_call_response_t *key2 = (const ldap_call_response_t*)k2;
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
return key1->messageId==key2->messageId;
|
|
|
|
|
}
|
|
|
|
|
|
2008-08-06 06:53:04 +00:00
|
|
|
|
|
|
|
|
/* These are the NtVer flags
|
2015-11-27 22:06:01 +00:00
|
|
|
http://msdn.microsoft.com/en-us/library/cc201035.aspx
|
2008-08-06 06:53:04 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static const true_false_string tfs_ntver_v1 = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Client requested version 1 netlogon response",
|
|
|
|
|
"Version 1 netlogon response not requested"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const true_false_string tfs_ntver_v5 = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Client requested version 5 netlogon response",
|
|
|
|
|
"Version 5 netlogon response not requested"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ntver_v5ex = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Client requested version 5 extended netlogon response",
|
|
|
|
|
"Version 5 extended response not requested"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
2011-01-06 18:08:14 +00:00
|
|
|
static const true_false_string tfs_ntver_v5ep = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Client has requested IP address of the server",
|
|
|
|
|
"IP address of server not requested"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
2011-01-06 18:08:14 +00:00
|
|
|
static const true_false_string tfs_ntver_vcs = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Client has asked for the closest site information",
|
|
|
|
|
"Closest site information not requested"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
2011-01-06 18:08:14 +00:00
|
|
|
static const true_false_string tfs_ntver_vnt4 = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Client is requesting server to avoid NT4 emulation",
|
|
|
|
|
"Only full AD DS requested"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
2011-01-06 18:08:14 +00:00
|
|
|
static const true_false_string tfs_ntver_vpdc = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Client has requested the Primary Domain Controller",
|
|
|
|
|
"Primary Domain Controller not requested"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
2011-01-06 18:08:14 +00:00
|
|
|
static const true_false_string tfs_ntver_vip = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Client has requested IP details (obsolete)",
|
|
|
|
|
"IP details not requested (obsolete)"
|
2011-01-06 18:08:14 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ntver_vl = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Client indicated that it is the local machine",
|
|
|
|
|
"Client is not the local machine"
|
2011-01-06 18:08:14 +00:00
|
|
|
};static const true_false_string tfs_ntver_vgc = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Client has requested a Global Catalog server",
|
|
|
|
|
"Global Catalog not requested"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
|
|
|
|
|
2012-03-30 09:08:55 +00:00
|
|
|
/* Stuff for generation/handling of fields for custom AttributeValues */
|
|
|
|
|
typedef struct _attribute_type_t {
|
|
|
|
|
gchar* attribute_type;
|
|
|
|
|
gchar* attribute_desc;
|
|
|
|
|
} attribute_type_t;
|
|
|
|
|
|
2018-05-30 07:00:16 +00:00
|
|
|
static attribute_type_t* attribute_types;
|
|
|
|
|
static guint num_attribute_types;
|
2012-03-30 09:08:55 +00:00
|
|
|
|
2018-05-30 07:00:16 +00:00
|
|
|
static GHashTable* attribute_types_hash;
|
|
|
|
|
static hf_register_info* dynamic_hf;
|
|
|
|
|
static guint dynamic_hf_size;
|
2012-03-30 09:08:55 +00:00
|
|
|
|
2015-02-18 01:21:25 +00:00
|
|
|
static gboolean
|
2015-01-13 20:13:45 +00:00
|
|
|
attribute_types_update_cb(void *r, char **err)
|
2012-03-30 09:08:55 +00:00
|
|
|
{
|
2012-06-04 08:56:48 +00:00
|
|
|
attribute_type_t *rec = (attribute_type_t *)r;
|
2012-03-30 09:08:55 +00:00
|
|
|
char c;
|
|
|
|
|
|
|
|
|
|
if (rec->attribute_type == NULL) {
|
2013-10-25 22:14:25 +00:00
|
|
|
*err = g_strdup("Attribute type can't be empty");
|
2015-02-18 01:21:25 +00:00
|
|
|
return FALSE;
|
2012-03-30 09:08:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
g_strstrip(rec->attribute_type);
|
|
|
|
|
if (rec->attribute_type[0] == 0) {
|
2013-10-25 22:14:25 +00:00
|
|
|
*err = g_strdup("Attribute type can't be empty");
|
2015-02-18 01:21:25 +00:00
|
|
|
return FALSE;
|
2012-03-30 09:08:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Check for invalid characters (to avoid asserting out when
|
|
|
|
|
* registering the field).
|
|
|
|
|
*/
|
|
|
|
|
c = proto_check_field_name(rec->attribute_type);
|
|
|
|
|
if (c) {
|
2013-10-25 22:14:25 +00:00
|
|
|
*err = g_strdup_printf("Attribute type can't contain '%c'", c);
|
2015-02-18 01:21:25 +00:00
|
|
|
return FALSE;
|
2012-03-30 09:08:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*err = NULL;
|
2015-02-18 01:21:25 +00:00
|
|
|
return TRUE;
|
2012-03-30 09:08:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void *
|
|
|
|
|
attribute_types_copy_cb(void* n, const void* o, size_t siz _U_)
|
|
|
|
|
{
|
2012-06-04 08:56:48 +00:00
|
|
|
attribute_type_t* new_rec = (attribute_type_t*)n;
|
2012-06-04 12:20:37 +00:00
|
|
|
const attribute_type_t* old_rec = (const attribute_type_t*)o;
|
2012-03-30 09:08:55 +00:00
|
|
|
|
|
|
|
|
new_rec->attribute_type = g_strdup(old_rec->attribute_type);
|
|
|
|
|
new_rec->attribute_desc = g_strdup(old_rec->attribute_desc);
|
|
|
|
|
|
|
|
|
|
return new_rec;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
attribute_types_free_cb(void*r)
|
|
|
|
|
{
|
2012-06-04 08:56:48 +00:00
|
|
|
attribute_type_t* rec = (attribute_type_t*)r;
|
2012-03-30 09:08:55 +00:00
|
|
|
|
2017-08-26 08:30:47 +00:00
|
|
|
g_free(rec->attribute_type);
|
|
|
|
|
g_free(rec->attribute_desc);
|
2012-03-30 09:08:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
UAT_CSTRING_CB_DEF(attribute_types, attribute_type, attribute_type_t)
|
|
|
|
|
UAT_CSTRING_CB_DEF(attribute_types, attribute_desc, attribute_type_t)
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
static gint*
|
|
|
|
|
get_hf_for_header(char* attribute_type)
|
|
|
|
|
{
|
|
|
|
|
gint* hf_id = NULL;
|
|
|
|
|
|
|
|
|
|
if (attribute_types_hash) {
|
|
|
|
|
hf_id = (gint*) g_hash_table_lookup(attribute_types_hash, attribute_type);
|
|
|
|
|
} else {
|
|
|
|
|
hf_id = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return hf_id;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2018-05-30 07:00:16 +00:00
|
|
|
deregister_attribute_types(void)
|
2012-03-30 09:08:55 +00:00
|
|
|
{
|
2018-05-30 07:00:16 +00:00
|
|
|
if (dynamic_hf) {
|
2015-08-11 12:08:08 +00:00
|
|
|
/* Deregister all fields */
|
2018-05-30 07:00:16 +00:00
|
|
|
for (guint i = 0; i < dynamic_hf_size; i++) {
|
|
|
|
|
proto_deregister_field (proto_ldap, *(dynamic_hf[i].p_id));
|
|
|
|
|
g_free (dynamic_hf[i].p_id);
|
2012-03-30 09:08:55 +00:00
|
|
|
}
|
2018-05-30 07:00:16 +00:00
|
|
|
|
|
|
|
|
proto_add_deregistered_data (dynamic_hf);
|
|
|
|
|
dynamic_hf = NULL;
|
|
|
|
|
dynamic_hf_size = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (attribute_types_hash) {
|
2012-03-30 09:08:55 +00:00
|
|
|
g_hash_table_destroy (attribute_types_hash);
|
|
|
|
|
attribute_types_hash = NULL;
|
|
|
|
|
}
|
2018-05-30 07:00:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
attribute_types_post_update_cb(void)
|
|
|
|
|
{
|
|
|
|
|
gint* hf_id;
|
|
|
|
|
gchar* attribute_type;
|
|
|
|
|
|
|
|
|
|
deregister_attribute_types();
|
2012-03-30 09:08:55 +00:00
|
|
|
|
|
|
|
|
if (num_attribute_types) {
|
|
|
|
|
attribute_types_hash = g_hash_table_new(g_str_hash, g_str_equal);
|
2018-05-30 07:00:16 +00:00
|
|
|
dynamic_hf = g_new0(hf_register_info,num_attribute_types);
|
|
|
|
|
dynamic_hf_size = num_attribute_types;
|
2012-03-30 09:08:55 +00:00
|
|
|
|
2018-05-30 07:00:16 +00:00
|
|
|
for (guint i = 0; i < dynamic_hf_size; i++) {
|
2012-06-04 08:56:48 +00:00
|
|
|
hf_id = g_new(gint,1);
|
2012-03-30 09:08:55 +00:00
|
|
|
*hf_id = -1;
|
|
|
|
|
attribute_type = g_strdup(attribute_types[i].attribute_type);
|
|
|
|
|
|
2018-05-30 07:00:16 +00:00
|
|
|
dynamic_hf[i].p_id = hf_id;
|
|
|
|
|
dynamic_hf[i].hfinfo.name = attribute_type;
|
|
|
|
|
dynamic_hf[i].hfinfo.abbrev = g_strdup_printf("ldap.AttributeValue.%s", attribute_type);
|
|
|
|
|
dynamic_hf[i].hfinfo.type = FT_STRING;
|
|
|
|
|
dynamic_hf[i].hfinfo.display = BASE_NONE;
|
|
|
|
|
dynamic_hf[i].hfinfo.strings = NULL;
|
|
|
|
|
dynamic_hf[i].hfinfo.bitmask = 0;
|
|
|
|
|
dynamic_hf[i].hfinfo.blurb = g_strdup(attribute_types[i].attribute_desc);
|
|
|
|
|
HFILL_INIT(dynamic_hf[i]);
|
2012-03-30 09:08:55 +00:00
|
|
|
|
|
|
|
|
g_hash_table_insert(attribute_types_hash, attribute_type, hf_id);
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-30 07:00:16 +00:00
|
|
|
proto_register_field_array(proto_ldap, dynamic_hf, dynamic_hf_size);
|
2012-03-30 09:08:55 +00:00
|
|
|
}
|
|
|
|
|
}
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2018-05-30 07:00:16 +00:00
|
|
|
static void
|
|
|
|
|
attribute_types_reset_cb(void)
|
|
|
|
|
{
|
|
|
|
|
deregister_attribute_types();
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-06 18:08:14 +00:00
|
|
|
/* MS-ADTS specification, section 7.3.1.1, NETLOGON_NT_VERSION Options Bits */
|
2008-08-06 06:53:04 +00:00
|
|
|
static int dissect_mscldap_ntver_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
|
|
|
|
|
{
|
2015-04-22 11:57:37 +00:00
|
|
|
static const int * flags[] = {
|
|
|
|
|
&hf_mscldap_ntver_flags_v1,
|
|
|
|
|
&hf_mscldap_ntver_flags_v5,
|
|
|
|
|
&hf_mscldap_ntver_flags_v5ex,
|
|
|
|
|
&hf_mscldap_ntver_flags_v5ep,
|
|
|
|
|
&hf_mscldap_ntver_flags_vcs,
|
|
|
|
|
&hf_mscldap_ntver_flags_vnt4,
|
|
|
|
|
&hf_mscldap_ntver_flags_vpdc,
|
|
|
|
|
&hf_mscldap_ntver_flags_vip,
|
|
|
|
|
&hf_mscldap_ntver_flags_vl,
|
|
|
|
|
&hf_mscldap_ntver_flags_vgc,
|
|
|
|
|
NULL
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
proto_tree_add_bitmask_with_flags(parent_tree, tvb, offset, hf_mscldap_ntver_flags,
|
|
|
|
|
ett_mscldap_ntver_flags, flags, ENC_LITTLE_ENDIAN, BMT_NO_FALSE);
|
2008-08-06 06:53:04 +00:00
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
|
|
return offset;
|
|
|
|
|
}
|
|
|
|
|
|
2006-07-12 09:02:00 +00:00
|
|
|
/* This string contains the last LDAPString that was decoded */
|
2010-02-23 04:35:23 +00:00
|
|
|
static const char *attributedesc_string=NULL;
|
2006-07-12 09:02:00 +00:00
|
|
|
|
2006-06-12 08:30:07 +00:00
|
|
|
/* This string contains the last AssertionValue that was decoded */
|
2006-08-06 13:13:42 +00:00
|
|
|
static char *ldapvalue_string=NULL;
|
2006-07-12 09:02:00 +00:00
|
|
|
|
2006-06-13 05:39:55 +00:00
|
|
|
/* if the octet string contain all printable ASCII characters, then
|
|
|
|
|
* display it as a string, othervise just display it in hex.
|
2006-06-10 05:07:42 +00:00
|
|
|
*/
|
|
|
|
|
static int
|
2007-05-13 20:58:29 +00:00
|
|
|
dissect_ldap_AssertionValue(gboolean implicit_tag, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_, proto_tree *tree, int hf_index)
|
2006-06-10 05:07:42 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
gint8 ber_class;
|
|
|
|
|
gboolean pc, ind, is_ascii;
|
|
|
|
|
gint32 tag;
|
2018-10-20 21:46:34 +00:00
|
|
|
guint32 len;
|
2015-11-27 22:06:01 +00:00
|
|
|
|
|
|
|
|
if(!implicit_tag){
|
|
|
|
|
offset=get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
|
|
|
|
|
offset=get_ber_length(tvb, offset, &len, &ind);
|
|
|
|
|
} else {
|
|
|
|
|
len=tvb_reported_length_remaining(tvb,offset);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(len==0){
|
|
|
|
|
return offset;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Some special/wellknown attributes in common LDAP (read AD)
|
|
|
|
|
* are neither ascii strings nor blobs of hex data.
|
|
|
|
|
* Special case these attributes and decode them more nicely.
|
|
|
|
|
*
|
|
|
|
|
* Add more special cases as required to prettify further
|
|
|
|
|
* (there can't be that many ones that are truly interesting)
|
|
|
|
|
*/
|
|
|
|
|
if(attributedesc_string && !strncmp("DomainSid", attributedesc_string, 9)){
|
|
|
|
|
tvbuff_t *sid_tvb;
|
|
|
|
|
char *tmpstr;
|
|
|
|
|
|
|
|
|
|
/* this octet string contains an NT SID */
|
|
|
|
|
sid_tvb=tvb_new_subset_length(tvb, offset, len);
|
|
|
|
|
dissect_nt_sid(sid_tvb, 0, tree, "SID", &tmpstr, hf_index);
|
|
|
|
|
ldapvalue_string=tmpstr;
|
|
|
|
|
|
|
|
|
|
goto finished;
|
|
|
|
|
} else if ( (len==16) /* GUIDs are always 16 bytes */
|
|
|
|
|
&& (attributedesc_string && !strncmp("DomainGuid", attributedesc_string, 10))) {
|
|
|
|
|
guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
|
|
|
|
|
e_guid_t uuid;
|
|
|
|
|
|
|
|
|
|
/* This octet string contained a GUID */
|
|
|
|
|
dissect_dcerpc_uuid_t(tvb, offset, actx->pinfo, tree, drep, hf_ldap_guid, &uuid);
|
|
|
|
|
|
|
|
|
|
ldapvalue_string=(char*)wmem_alloc(wmem_packet_scope(), 1024);
|
|
|
|
|
g_snprintf(ldapvalue_string, 1023, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
|
|
|
|
|
uuid.data1, uuid.data2, uuid.data3, uuid.data4[0], uuid.data4[1],
|
|
|
|
|
uuid.data4[2], uuid.data4[3], uuid.data4[4], uuid.data4[5],
|
|
|
|
|
uuid.data4[6], uuid.data4[7]);
|
|
|
|
|
|
|
|
|
|
goto finished;
|
|
|
|
|
} else if (attributedesc_string && !strncmp("NtVer", attributedesc_string, 5)){
|
|
|
|
|
guint32 flags;
|
|
|
|
|
|
|
|
|
|
len = 0;
|
|
|
|
|
/* get flag value to populate ldapvalue_string */
|
|
|
|
|
flags=tvb_get_letohl(tvb, offset);
|
|
|
|
|
|
|
|
|
|
ldapvalue_string=(char*)wmem_alloc(wmem_packet_scope(), 1024);
|
|
|
|
|
g_snprintf(ldapvalue_string, 1023, "0x%08x",flags);
|
|
|
|
|
|
|
|
|
|
/* populate bitmask subtree */
|
|
|
|
|
offset = dissect_mscldap_ntver_flags(tree, tvb, offset);
|
|
|
|
|
|
|
|
|
|
goto finished;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* It was not one of our "wellknown" attributes so make the best
|
|
|
|
|
* we can and just try to see if it is an ascii string or if it
|
|
|
|
|
* is a binary blob.
|
|
|
|
|
*
|
|
|
|
|
* XXX - should we support reading RFC 2252-style schemas
|
|
|
|
|
* for LDAP, and using that to determine how to display
|
|
|
|
|
* attribute values and assertion values?
|
|
|
|
|
*
|
|
|
|
|
* -- I don't think there are full schemas available that describe the
|
|
|
|
|
* interesting cases i.e. AD -- ronnie
|
|
|
|
|
*/
|
2018-10-20 21:46:34 +00:00
|
|
|
is_ascii=tvb_ascii_isprint(tvb, offset, len);
|
2015-11-27 22:06:01 +00:00
|
|
|
|
|
|
|
|
/* convert the string into a printable string */
|
|
|
|
|
if(is_ascii){
|
2018-10-20 21:46:34 +00:00
|
|
|
ldapvalue_string= tvb_get_string_enc(wmem_packet_scope(), tvb, offset, len, ENC_ASCII);
|
2015-11-27 22:06:01 +00:00
|
|
|
} else {
|
2018-10-20 21:46:34 +00:00
|
|
|
ldapvalue_string= tvb_bytes_to_str_punct(wmem_packet_scope(), tvb, offset, len, ':');
|
2015-11-27 22:06:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
proto_tree_add_string(tree, hf_index, tvb, offset, len, ldapvalue_string);
|
2006-06-10 06:48:09 +00:00
|
|
|
|
2006-07-12 09:02:00 +00:00
|
|
|
|
|
|
|
|
finished:
|
2015-11-27 22:06:01 +00:00
|
|
|
offset+=len;
|
|
|
|
|
return offset;
|
2006-06-10 05:07:42 +00:00
|
|
|
}
|
|
|
|
|
|
2006-06-12 08:30:07 +00:00
|
|
|
/* This string contains the last Filter item that was decoded */
|
2010-02-23 04:35:23 +00:00
|
|
|
static const char *Filter_string=NULL;
|
2010-02-23 06:28:34 +00:00
|
|
|
static const char *and_filter_string=NULL;
|
|
|
|
|
static const char *or_filter_string=NULL;
|
|
|
|
|
static const char *substring_value=NULL;
|
2010-02-23 04:35:23 +00:00
|
|
|
static const char *substring_item_init=NULL;
|
|
|
|
|
static const char *substring_item_any=NULL;
|
|
|
|
|
static const char *substring_item_final=NULL;
|
|
|
|
|
static const char *matching_rule_string=NULL;
|
2006-06-29 21:04:37 +00:00
|
|
|
static gboolean matching_rule_dnattr=FALSE;
|
2006-06-12 08:30:07 +00:00
|
|
|
|
2011-03-01 00:50:17 +00:00
|
|
|
#define MAX_FILTER_LEN 4096
|
|
|
|
|
static gint Filter_length;
|
|
|
|
|
|
|
|
|
|
#define MAX_FILTER_ELEMENTS 200
|
|
|
|
|
static gint Filter_elements;
|
|
|
|
|
|
2005-12-09 16:46:24 +00:00
|
|
|
/* Global variables */
|
2006-04-30 07:23:42 +00:00
|
|
|
static gint MessageID =-1;
|
|
|
|
|
static gint ProtocolOp = -1;
|
|
|
|
|
static gint result = 0;
|
|
|
|
|
static proto_item *ldm_tree = NULL; /* item to add text to */
|
|
|
|
|
|
|
|
|
|
static void ldap_do_protocolop(packet_info *pinfo)
|
|
|
|
|
{
|
|
|
|
|
const gchar* valstr;
|
|
|
|
|
|
2017-02-07 20:16:37 +00:00
|
|
|
if (do_protocolop) {
|
2006-04-30 07:23:42 +00:00
|
|
|
|
|
|
|
|
valstr = val_to_str(ProtocolOp, ldap_ProtocolOp_choice_vals, "Unknown (%%u)");
|
|
|
|
|
|
2009-06-30 10:38:00 +00:00
|
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, "%s(%u) ", valstr, MessageID);
|
2006-04-30 07:23:42 +00:00
|
|
|
|
|
|
|
|
if(ldm_tree)
|
2006-06-28 22:07:23 +00:00
|
|
|
proto_item_append_text(ldm_tree, " %s(%d)", valstr, MessageID);
|
2006-04-30 07:23:42 +00:00
|
|
|
|
|
|
|
|
do_protocolop = FALSE;
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static ldap_call_response_t *
|
2013-11-08 02:02:43 +00:00
|
|
|
ldap_match_call_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint messageId, guint protocolOpTag, ldap_conv_info_t *ldap_info)
|
2006-04-30 07:23:42 +00:00
|
|
|
{
|
|
|
|
|
ldap_call_response_t lcr, *lcrp=NULL;
|
|
|
|
|
|
|
|
|
|
/* first see if we have already matched this */
|
|
|
|
|
|
|
|
|
|
lcr.messageId=messageId;
|
|
|
|
|
switch(protocolOpTag){
|
|
|
|
|
case LDAP_REQ_BIND:
|
|
|
|
|
case LDAP_REQ_SEARCH:
|
|
|
|
|
case LDAP_REQ_MODIFY:
|
|
|
|
|
case LDAP_REQ_ADD:
|
|
|
|
|
case LDAP_REQ_DELETE:
|
|
|
|
|
case LDAP_REQ_MODRDN:
|
|
|
|
|
case LDAP_REQ_COMPARE:
|
2008-01-13 14:12:47 +00:00
|
|
|
case LDAP_REQ_EXTENDED:
|
2006-04-30 07:23:42 +00:00
|
|
|
lcr.is_request=TRUE;
|
2016-01-24 03:40:51 +00:00
|
|
|
lcr.req_frame=pinfo->num;
|
2006-04-30 07:23:42 +00:00
|
|
|
lcr.rep_frame=0;
|
|
|
|
|
break;
|
|
|
|
|
case LDAP_RES_BIND:
|
|
|
|
|
case LDAP_RES_SEARCH_ENTRY:
|
|
|
|
|
case LDAP_RES_SEARCH_REF:
|
|
|
|
|
case LDAP_RES_SEARCH_RESULT:
|
|
|
|
|
case LDAP_RES_MODIFY:
|
|
|
|
|
case LDAP_RES_ADD:
|
|
|
|
|
case LDAP_RES_DELETE:
|
|
|
|
|
case LDAP_RES_MODRDN:
|
|
|
|
|
case LDAP_RES_COMPARE:
|
2008-01-13 14:12:47 +00:00
|
|
|
case LDAP_RES_EXTENDED:
|
2009-12-12 09:30:49 +00:00
|
|
|
case LDAP_RES_INTERMEDIATE:
|
2006-04-30 07:23:42 +00:00
|
|
|
lcr.is_request=FALSE;
|
|
|
|
|
lcr.req_frame=0;
|
2016-01-24 03:40:51 +00:00
|
|
|
lcr.rep_frame=pinfo->num;
|
2006-04-30 07:23:42 +00:00
|
|
|
break;
|
2013-08-25 17:31:15 +00:00
|
|
|
default:
|
|
|
|
|
return NULL;
|
2006-04-30 07:23:42 +00:00
|
|
|
}
|
2016-07-20 02:49:32 +00:00
|
|
|
lcrp=(ldap_call_response_t *)wmem_map_lookup(ldap_info->matched, &lcr);
|
2006-04-30 07:23:42 +00:00
|
|
|
|
|
|
|
|
if(lcrp){
|
|
|
|
|
|
|
|
|
|
lcrp->is_request=lcr.is_request;
|
|
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
/* we haven't found a match - try and match it up */
|
2006-04-30 07:23:42 +00:00
|
|
|
|
|
|
|
|
switch(protocolOpTag){
|
|
|
|
|
case LDAP_REQ_BIND:
|
|
|
|
|
case LDAP_REQ_SEARCH:
|
|
|
|
|
case LDAP_REQ_MODIFY:
|
|
|
|
|
case LDAP_REQ_ADD:
|
|
|
|
|
case LDAP_REQ_DELETE:
|
|
|
|
|
case LDAP_REQ_MODRDN:
|
|
|
|
|
case LDAP_REQ_COMPARE:
|
2008-01-13 14:12:47 +00:00
|
|
|
case LDAP_REQ_EXTENDED:
|
2006-04-30 07:23:42 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
/* this a a request - add it to the unmatched list */
|
2006-04-30 07:23:42 +00:00
|
|
|
|
2014-09-16 15:25:17 +00:00
|
|
|
/* check that we don't already have one of those in the
|
2006-04-30 07:23:42 +00:00
|
|
|
unmatched list and if so remove it */
|
|
|
|
|
|
|
|
|
|
lcr.messageId=messageId;
|
2016-07-20 02:49:32 +00:00
|
|
|
lcrp=(ldap_call_response_t *)wmem_map_lookup(ldap_info->unmatched, &lcr);
|
2006-04-30 07:23:42 +00:00
|
|
|
if(lcrp){
|
2016-07-20 02:49:32 +00:00
|
|
|
wmem_map_remove(ldap_info->unmatched, lcrp);
|
2006-04-30 07:23:42 +00:00
|
|
|
}
|
2014-09-16 15:25:17 +00:00
|
|
|
/* if we can't reuse the old one, grab a new chunk */
|
2006-04-30 07:23:42 +00:00
|
|
|
if(!lcrp){
|
2013-09-15 13:24:14 +00:00
|
|
|
lcrp=wmem_new0(wmem_file_scope(), ldap_call_response_t);
|
2006-04-30 07:23:42 +00:00
|
|
|
}
|
|
|
|
|
lcrp->messageId=messageId;
|
2016-01-24 03:40:51 +00:00
|
|
|
lcrp->req_frame=pinfo->num;
|
2016-01-23 03:53:53 +00:00
|
|
|
lcrp->req_time=pinfo->abs_ts;
|
2006-04-30 07:23:42 +00:00
|
|
|
lcrp->rep_frame=0;
|
|
|
|
|
lcrp->protocolOpTag=protocolOpTag;
|
|
|
|
|
lcrp->is_request=TRUE;
|
2016-07-20 02:49:32 +00:00
|
|
|
wmem_map_insert(ldap_info->unmatched, lcrp, lcrp);
|
2006-04-30 07:23:42 +00:00
|
|
|
return NULL;
|
|
|
|
|
break;
|
|
|
|
|
case LDAP_RES_BIND:
|
|
|
|
|
case LDAP_RES_SEARCH_ENTRY:
|
|
|
|
|
case LDAP_RES_SEARCH_REF:
|
|
|
|
|
case LDAP_RES_SEARCH_RESULT:
|
|
|
|
|
case LDAP_RES_MODIFY:
|
|
|
|
|
case LDAP_RES_ADD:
|
|
|
|
|
case LDAP_RES_DELETE:
|
|
|
|
|
case LDAP_RES_MODRDN:
|
|
|
|
|
case LDAP_RES_COMPARE:
|
2008-01-13 14:12:47 +00:00
|
|
|
case LDAP_RES_EXTENDED:
|
2009-12-12 09:30:49 +00:00
|
|
|
case LDAP_RES_INTERMEDIATE:
|
2006-04-30 07:23:42 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
/* this is a result - it should be in our unmatched list */
|
2006-04-30 07:23:42 +00:00
|
|
|
|
|
|
|
|
lcr.messageId=messageId;
|
2016-07-20 02:49:32 +00:00
|
|
|
lcrp=(ldap_call_response_t *)wmem_map_lookup(ldap_info->unmatched, &lcr);
|
2006-04-30 07:23:42 +00:00
|
|
|
|
|
|
|
|
if(lcrp){
|
|
|
|
|
|
|
|
|
|
if(!lcrp->rep_frame){
|
2016-07-20 02:49:32 +00:00
|
|
|
wmem_map_remove(ldap_info->unmatched, lcrp);
|
2016-01-24 03:40:51 +00:00
|
|
|
lcrp->rep_frame=pinfo->num;
|
2006-04-30 07:23:42 +00:00
|
|
|
lcrp->is_request=FALSE;
|
2016-07-20 02:49:32 +00:00
|
|
|
wmem_map_insert(ldap_info->matched, lcrp, lcrp);
|
2006-04-30 07:23:42 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
break;
|
2015-11-27 22:06:01 +00:00
|
|
|
}
|
2006-04-30 07:23:42 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
}
|
2006-04-30 07:23:42 +00:00
|
|
|
/* we have found a match */
|
|
|
|
|
|
|
|
|
|
if(lcrp){
|
2006-08-07 10:35:26 +00:00
|
|
|
proto_item *it;
|
|
|
|
|
|
2006-04-30 07:23:42 +00:00
|
|
|
if(lcrp->is_request){
|
2006-08-07 10:35:26 +00:00
|
|
|
it=proto_tree_add_uint(tree, hf_ldap_response_in, tvb, 0, 0, lcrp->rep_frame);
|
2019-04-03 21:32:30 +00:00
|
|
|
proto_item_set_generated(it);
|
2006-04-30 07:23:42 +00:00
|
|
|
} else {
|
|
|
|
|
nstime_t ns;
|
2006-08-07 10:35:26 +00:00
|
|
|
it=proto_tree_add_uint(tree, hf_ldap_response_to, tvb, 0, 0, lcrp->req_frame);
|
2019-04-03 21:32:30 +00:00
|
|
|
proto_item_set_generated(it);
|
2016-01-23 03:53:53 +00:00
|
|
|
nstime_delta(&ns, &pinfo->abs_ts, &lcrp->req_time);
|
2006-08-07 10:35:26 +00:00
|
|
|
it=proto_tree_add_time(tree, hf_ldap_time, tvb, 0, 0, &ns);
|
2019-04-03 21:32:30 +00:00
|
|
|
proto_item_set_generated(it);
|
2006-04-30 07:23:42 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return lcrp;
|
|
|
|
|
}
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
#include "packet-ldap-fn.c"
|
2013-11-08 02:02:43 +00:00
|
|
|
static int dissect_LDAPMessage_PDU(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, ldap_conv_info_t *ldap_info) {
|
|
|
|
|
|
|
|
|
|
int offset = 0;
|
|
|
|
|
asn1_ctx_t asn1_ctx;
|
|
|
|
|
asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
|
|
|
|
|
|
|
|
|
|
asn1_ctx.private_data = ldap_info;
|
|
|
|
|
offset = dissect_ldap_LDAPMessage(FALSE, tvb, offset, &asn1_ctx, tree, hf_ldap_LDAPMessage_PDU);
|
|
|
|
|
return offset;
|
|
|
|
|
}
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
dissect_ldap_payload(tvbuff_t *tvb, packet_info *pinfo,
|
2015-11-27 22:06:01 +00:00
|
|
|
proto_tree *tree, ldap_conv_info_t *ldap_info,
|
|
|
|
|
gboolean is_mscldap)
|
2005-12-09 16:46:24 +00:00
|
|
|
{
|
|
|
|
|
int offset = 0;
|
|
|
|
|
guint length_remaining;
|
|
|
|
|
guint msg_len = 0;
|
|
|
|
|
int messageOffset = 0;
|
|
|
|
|
guint headerLength = 0;
|
|
|
|
|
guint length = 0;
|
|
|
|
|
tvbuff_t *msg_tvb = NULL;
|
2011-11-20 08:59:19 +00:00
|
|
|
gint8 ber_class;
|
2005-12-09 16:46:24 +00:00
|
|
|
gboolean pc, ind = 0;
|
|
|
|
|
gint32 ber_tag;
|
|
|
|
|
|
2010-06-27 22:38:28 +00:00
|
|
|
attributedesc_string=NULL;
|
|
|
|
|
|
2007-06-24 17:23:55 +00:00
|
|
|
|
|
|
|
|
one_more_pdu:
|
|
|
|
|
|
2015-04-09 12:36:26 +00:00
|
|
|
length_remaining = tvb_ensure_captured_length_remaining(tvb, offset);
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2007-06-24 17:23:55 +00:00
|
|
|
if (length_remaining < 6) return;
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* OK, try to read the "Sequence Of" header; this gets the total
|
|
|
|
|
* length of the LDAP message.
|
|
|
|
|
*/
|
2015-11-27 22:06:01 +00:00
|
|
|
messageOffset = get_ber_identifier(tvb, offset, &ber_class, &pc, &ber_tag);
|
|
|
|
|
messageOffset = get_ber_length(tvb, messageOffset, &msg_len, &ind);
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2007-06-24 17:23:55 +00:00
|
|
|
/* sanity check */
|
|
|
|
|
if((msg_len<4) || (msg_len>10000000)) return;
|
|
|
|
|
|
2011-11-20 08:59:19 +00:00
|
|
|
if ( (ber_class==BER_CLASS_UNI) && (ber_tag==BER_UNI_TAG_SEQUENCE) ) {
|
2015-11-27 22:06:01 +00:00
|
|
|
/*
|
|
|
|
|
* Add the length of the "Sequence Of" header to the message
|
|
|
|
|
* length.
|
|
|
|
|
*/
|
|
|
|
|
headerLength = messageOffset - offset;
|
|
|
|
|
msg_len += headerLength;
|
2005-12-09 16:46:24 +00:00
|
|
|
if (msg_len < headerLength) {
|
2015-11-27 22:06:01 +00:00
|
|
|
/*
|
|
|
|
|
* The message length was probably so large that the total length
|
|
|
|
|
* overflowed.
|
|
|
|
|
*
|
|
|
|
|
* Report this as an error.
|
|
|
|
|
*/
|
|
|
|
|
show_reported_bounds_error(tvb, pinfo, tree);
|
|
|
|
|
return;
|
2005-12-09 16:46:24 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
2015-11-27 22:06:01 +00:00
|
|
|
/*
|
|
|
|
|
* We couldn't parse the header; just make it the amount of data
|
|
|
|
|
* remaining in the tvbuff, so we'll give up on this segment
|
|
|
|
|
* after attempting to parse the message - there's nothing more
|
|
|
|
|
* we can do. "dissect_ldap_message()" will display the error.
|
|
|
|
|
*/
|
|
|
|
|
msg_len = length_remaining;
|
2005-12-09 16:46:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Construct a tvbuff containing the amount of the payload we have
|
|
|
|
|
* available. Make its reported length the amount of data in the
|
|
|
|
|
* LDAP message.
|
|
|
|
|
*
|
|
|
|
|
* XXX - if reassembly isn't enabled. the subdissector will throw a
|
|
|
|
|
* BoundsError exception, rather than a ReportedBoundsError exception.
|
|
|
|
|
* We really want a tvbuff where the length is "length", the reported
|
|
|
|
|
* length is "plen", and the "if the snapshot length were infinite"
|
|
|
|
|
* length is the minimum of the reported length of the tvbuff handed
|
|
|
|
|
* to us and "plen", with a new type of exception thrown if the offset
|
|
|
|
|
* is within the reported length but beyond that third length, with
|
|
|
|
|
* that exception getting the "Unreassembled Packet" error.
|
|
|
|
|
*/
|
|
|
|
|
length = length_remaining;
|
|
|
|
|
if (length > msg_len) length = msg_len;
|
2017-01-10 06:18:49 +00:00
|
|
|
msg_tvb = tvb_new_subset_length_caplen(tvb, offset, length, msg_len);
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now dissect the LDAP message.
|
|
|
|
|
*/
|
2007-06-24 17:23:55 +00:00
|
|
|
ldap_info->is_mscldap = is_mscldap;
|
2013-11-08 02:02:43 +00:00
|
|
|
dissect_LDAPMessage_PDU(msg_tvb, pinfo, tree, ldap_info);
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2007-06-24 17:23:55 +00:00
|
|
|
offset += msg_len;
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2007-06-24 17:23:55 +00:00
|
|
|
/* If this was a sasl blob there might be another PDU following in the
|
|
|
|
|
* same blob
|
|
|
|
|
*/
|
2014-06-21 00:36:59 +00:00
|
|
|
if(tvb_reported_length_remaining(tvb, offset)>=6){
|
2013-02-19 23:17:07 +00:00
|
|
|
tvb = tvb_new_subset_remaining(tvb, offset);
|
2015-11-27 22:06:01 +00:00
|
|
|
offset = 0;
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2007-06-24 17:23:55 +00:00
|
|
|
goto one_more_pdu;
|
|
|
|
|
}
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2009-06-30 10:38:00 +00:00
|
|
|
static void
|
|
|
|
|
ldap_frame_end(void)
|
|
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
ldap_found_in_frame = FALSE;
|
|
|
|
|
attr_type = NULL;
|
|
|
|
|
ldapvalue_string = NULL;
|
2012-04-10 15:48:26 +00:00
|
|
|
/* ? */
|
2015-11-27 22:06:01 +00:00
|
|
|
attributedesc_string = NULL;
|
|
|
|
|
Filter_string = NULL;
|
|
|
|
|
and_filter_string = NULL;
|
|
|
|
|
object_identifier_id = NULL;
|
|
|
|
|
or_filter_string = NULL;
|
2012-04-10 15:48:26 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
substring_item_any = NULL;
|
|
|
|
|
substring_item_final = NULL;
|
|
|
|
|
substring_item_init = NULL;
|
|
|
|
|
substring_value = NULL;
|
2012-04-10 15:48:26 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
ldm_tree = NULL;
|
2012-04-10 15:48:26 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
Filter_elements = 0;
|
|
|
|
|
Filter_length = 0;
|
|
|
|
|
do_protocolop = FALSE;
|
|
|
|
|
result = 0;
|
2012-04-10 15:48:26 +00:00
|
|
|
|
|
|
|
|
/* seems to be ok, but reset just in case */
|
2015-11-27 22:06:01 +00:00
|
|
|
matching_rule_string = NULL;
|
2009-06-30 10:38:00 +00:00
|
|
|
}
|
|
|
|
|
|
2005-12-09 16:46:24 +00:00
|
|
|
static void
|
2015-11-27 22:06:01 +00:00
|
|
|
dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean is_mscldap)
|
2005-12-09 16:46:24 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
int offset = 0;
|
|
|
|
|
conversation_t *conversation;
|
|
|
|
|
gboolean doing_sasl_security = FALSE;
|
|
|
|
|
guint length_remaining;
|
|
|
|
|
ldap_conv_info_t *ldap_info = NULL;
|
|
|
|
|
proto_item *ldap_item = NULL;
|
|
|
|
|
proto_tree *ldap_tree = NULL;
|
|
|
|
|
|
|
|
|
|
ldm_tree = NULL;
|
|
|
|
|
|
|
|
|
|
conversation = find_or_create_conversation(pinfo);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Do we already have a type and mechanism?
|
|
|
|
|
*/
|
|
|
|
|
ldap_info = (ldap_conv_info_t *)conversation_get_proto_data(conversation, proto_ldap);
|
|
|
|
|
if (ldap_info == NULL) {
|
|
|
|
|
/* No. Attach that information to the conversation, and add
|
|
|
|
|
* it to the list of information structures.
|
|
|
|
|
*/
|
2016-07-20 02:49:32 +00:00
|
|
|
ldap_info = wmem_new0(wmem_file_scope(), ldap_conv_info_t);
|
|
|
|
|
ldap_info->matched=wmem_map_new(wmem_file_scope(), ldap_info_hash_matched, ldap_info_equal_matched);
|
|
|
|
|
ldap_info->unmatched=wmem_map_new(wmem_file_scope(), ldap_info_hash_unmatched, ldap_info_equal_unmatched);
|
2015-11-27 22:06:01 +00:00
|
|
|
|
|
|
|
|
conversation_add_proto_data(conversation, proto_ldap, ldap_info);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (ldap_info->auth_type) {
|
|
|
|
|
case LDAP_AUTH_SASL:
|
|
|
|
|
/*
|
|
|
|
|
* It's SASL; are we using a security layer?
|
|
|
|
|
*/
|
|
|
|
|
if (ldap_info->first_auth_frame != 0 &&
|
2016-01-24 03:40:51 +00:00
|
|
|
pinfo->num >= ldap_info->first_auth_frame) {
|
2015-11-27 22:06:01 +00:00
|
|
|
doing_sasl_security = TRUE; /* yes */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
length_remaining = tvb_ensure_captured_length_remaining(tvb, offset);
|
|
|
|
|
|
|
|
|
|
/* It might still be a packet containing a SASL security layer
|
|
|
|
|
* but it's just that we never saw the BIND packet.
|
|
|
|
|
* check if it looks like it could be a SASL blob here
|
|
|
|
|
* and in that case just assume it is GSS-SPNEGO
|
|
|
|
|
*/
|
|
|
|
|
if(!doing_sasl_security && (tvb_bytes_exist(tvb, offset, 5))
|
|
|
|
|
&&(tvb_get_ntohl(tvb, offset)<=(guint)(tvb_reported_length_remaining(tvb, offset)-4))
|
|
|
|
|
&&(tvb_get_guint8(tvb, offset+4)==0x60) ){
|
|
|
|
|
ldap_info->auth_type=LDAP_AUTH_SASL;
|
2016-01-24 03:40:51 +00:00
|
|
|
ldap_info->first_auth_frame=pinfo->num;
|
2016-04-21 15:26:38 +00:00
|
|
|
ldap_info->auth_mech=wmem_strdup(wmem_file_scope(), "GSS-SPNEGO");
|
2015-11-27 22:06:01 +00:00
|
|
|
doing_sasl_security=TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* This is the first PDU, set the Protocol column and clear the
|
|
|
|
|
* Info column.
|
|
|
|
|
*/
|
|
|
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, pinfo->current_proto);
|
|
|
|
|
|
|
|
|
|
if(ldap_found_in_frame) {
|
|
|
|
|
/* we have already dissected an ldap PDU in this frame - add a separator and set a fence */
|
|
|
|
|
col_append_str(pinfo->cinfo, COL_INFO, " | ");
|
|
|
|
|
col_set_fence(pinfo->cinfo, COL_INFO);
|
|
|
|
|
} else {
|
|
|
|
|
col_clear(pinfo->cinfo, COL_INFO);
|
|
|
|
|
register_frame_end_routine (pinfo, ldap_frame_end);
|
|
|
|
|
ldap_found_in_frame = TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ldap_item = proto_tree_add_item(tree, is_mscldap?proto_cldap:proto_ldap, tvb, 0, -1, ENC_NA);
|
|
|
|
|
ldap_tree = proto_item_add_subtree(ldap_item, ett_ldap);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Might we be doing a SASL security layer and, if so, *are* we doing
|
|
|
|
|
* one?
|
|
|
|
|
*
|
|
|
|
|
* Just because we've seen a bind reply for SASL, that doesn't mean
|
|
|
|
|
* that we're using a SASL security layer; I've seen captures in
|
|
|
|
|
* which some SASL negotiations lead to a security layer being used
|
|
|
|
|
* and other negotiations don't, and it's not obvious what's different
|
|
|
|
|
* in the two negotiations. Therefore, we assume that if the first
|
|
|
|
|
* byte is 0, it's a length for a SASL security layer (that way, we
|
|
|
|
|
* never reassemble more than 16 megabytes, protecting us from
|
|
|
|
|
* chewing up *too* much memory), and otherwise that it's an LDAP
|
|
|
|
|
* message (actually, if it's an LDAP message it should begin with 0x30,
|
|
|
|
|
* but we want to parse garbage as LDAP messages rather than really
|
|
|
|
|
* huge lengths).
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
if (doing_sasl_security && tvb_get_guint8(tvb, offset) == 0) {
|
|
|
|
|
proto_tree *sasl_tree;
|
|
|
|
|
tvbuff_t *sasl_tvb;
|
|
|
|
|
guint sasl_len, sasl_msg_len, length;
|
|
|
|
|
/*
|
|
|
|
|
* Yes. The frame begins with a 4-byte big-endian length.
|
|
|
|
|
* And we know we have at least 6 bytes
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Get the SASL length, which is the length of data in the buffer
|
|
|
|
|
* following the length (i.e., it's 4 less than the total length).
|
|
|
|
|
*
|
|
|
|
|
* XXX - do we need to reassemble buffers? For now, we
|
|
|
|
|
* assume that each LDAP message is entirely contained within
|
|
|
|
|
* a buffer.
|
|
|
|
|
*/
|
|
|
|
|
sasl_len = tvb_get_ntohl(tvb, offset);
|
|
|
|
|
sasl_msg_len = sasl_len + 4;
|
|
|
|
|
if (sasl_msg_len < 4) {
|
|
|
|
|
/*
|
|
|
|
|
* The message length was probably so large that the total length
|
|
|
|
|
* overflowed.
|
|
|
|
|
*
|
|
|
|
|
* Report this as an error.
|
|
|
|
|
*/
|
|
|
|
|
show_reported_bounds_error(tvb, pinfo, tree);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Construct a tvbuff containing the amount of the payload we have
|
|
|
|
|
* available. Make its reported length the amount of data in the PDU.
|
|
|
|
|
*
|
|
|
|
|
* XXX - if reassembly isn't enabled. the subdissector will throw a
|
|
|
|
|
* BoundsError exception, rather than a ReportedBoundsError exception.
|
|
|
|
|
* We really want a tvbuff where the length is "length", the reported
|
|
|
|
|
* length is "plen", and the "if the snapshot length were infinite"
|
|
|
|
|
* length is the minimum of the reported length of the tvbuff handed
|
|
|
|
|
* to us and "plen", with a new type of exception thrown if the offset
|
|
|
|
|
* is within the reported length but beyond that third length, with
|
|
|
|
|
* that exception getting the "Unreassembled Packet" error.
|
|
|
|
|
*/
|
|
|
|
|
length = length_remaining;
|
|
|
|
|
if (length > sasl_msg_len) length = sasl_msg_len;
|
2017-01-10 06:18:49 +00:00
|
|
|
sasl_tvb = tvb_new_subset_length_caplen(tvb, offset, length, sasl_msg_len);
|
2015-11-27 22:06:01 +00:00
|
|
|
|
|
|
|
|
proto_tree_add_uint(ldap_tree, hf_ldap_sasl_buffer_length, sasl_tvb, 0, 4, sasl_len);
|
|
|
|
|
|
|
|
|
|
sasl_tree = proto_tree_add_subtree(ldap_tree, sasl_tvb, 0, sasl_msg_len, ett_ldap_sasl_blob, NULL, "SASL Buffer");
|
|
|
|
|
|
|
|
|
|
if (ldap_info->auth_mech != NULL &&
|
|
|
|
|
((strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) ||
|
|
|
|
|
/* auth_mech may have been set from the bind */
|
|
|
|
|
(strcmp(ldap_info->auth_mech, "GSSAPI") == 0))) {
|
|
|
|
|
tvbuff_t *gssapi_tvb, *plain_tvb = NULL, *decr_tvb= NULL;
|
|
|
|
|
int ver_len;
|
|
|
|
|
int tmp_length;
|
|
|
|
|
gssapi_encrypt_info_t gssapi_encrypt;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* This is GSS-API (using SPNEGO, but we should be done with
|
|
|
|
|
* the negotiation by now).
|
|
|
|
|
*
|
|
|
|
|
* Dissect the GSS_Wrap() token; it'll return the length of
|
|
|
|
|
* the token, from which we compute the offset in the tvbuff at
|
|
|
|
|
* which the plaintext data, i.e. the LDAP message, begins.
|
|
|
|
|
*/
|
|
|
|
|
tmp_length = tvb_reported_length_remaining(sasl_tvb, 4);
|
|
|
|
|
if ((guint)tmp_length > sasl_len)
|
|
|
|
|
tmp_length = sasl_len;
|
2017-01-10 06:18:49 +00:00
|
|
|
gssapi_tvb = tvb_new_subset_length_caplen(sasl_tvb, 4, tmp_length, sasl_len);
|
2015-11-27 22:06:01 +00:00
|
|
|
|
|
|
|
|
/* Attempt decryption of the GSSAPI wrapped data if possible */
|
|
|
|
|
gssapi_encrypt.gssapi_data_encrypted = FALSE;
|
|
|
|
|
gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
|
|
|
|
|
gssapi_encrypt.gssapi_wrap_tvb=NULL;
|
|
|
|
|
gssapi_encrypt.gssapi_encrypted_tvb=NULL;
|
|
|
|
|
gssapi_encrypt.gssapi_decrypted_tvb=NULL;
|
|
|
|
|
ver_len = call_dissector_with_data(gssapi_wrap_handle, gssapi_tvb, pinfo, sasl_tree, &gssapi_encrypt);
|
|
|
|
|
/* if we could unwrap, do a tvb shuffle */
|
|
|
|
|
if(gssapi_encrypt.gssapi_decrypted_tvb){
|
|
|
|
|
decr_tvb=gssapi_encrypt.gssapi_decrypted_tvb;
|
|
|
|
|
} else if (gssapi_encrypt.gssapi_wrap_tvb) {
|
|
|
|
|
plain_tvb=gssapi_encrypt.gssapi_wrap_tvb;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* if len is 0 it probably mean that we got a PDU that is not
|
|
|
|
|
* aligned to the start of the segment.
|
|
|
|
|
*/
|
|
|
|
|
if(ver_len==0){
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* if we don't have unwrapped data,
|
|
|
|
|
* see if the wrapping involved encryption of the
|
|
|
|
|
* data; if not, just use the plaintext data.
|
|
|
|
|
*/
|
|
|
|
|
if (!decr_tvb && !plain_tvb) {
|
|
|
|
|
if(!gssapi_encrypt.gssapi_data_encrypted){
|
|
|
|
|
plain_tvb = tvb_new_subset_remaining(gssapi_tvb, ver_len);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (decr_tvb) {
|
|
|
|
|
proto_tree *enc_tree = NULL;
|
|
|
|
|
guint decr_len = tvb_reported_length(decr_tvb);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The LDAP message was encrypted in the packet, and has
|
|
|
|
|
* been decrypted; dissect the decrypted LDAP message.
|
|
|
|
|
*/
|
|
|
|
|
col_set_str(pinfo->cinfo, COL_INFO, "SASL GSS-API Privacy (decrypted): ");
|
|
|
|
|
|
|
|
|
|
if (sasl_tree) {
|
|
|
|
|
enc_tree = proto_tree_add_subtree_format(sasl_tree, decr_tvb, 0, -1,
|
|
|
|
|
ett_ldap_payload, NULL, "GSS-API Encrypted payload (%d byte%s)",
|
|
|
|
|
decr_len, plurality(decr_len, "", "s"));
|
|
|
|
|
}
|
|
|
|
|
dissect_ldap_payload(decr_tvb, pinfo, enc_tree, ldap_info, is_mscldap);
|
|
|
|
|
} else if (plain_tvb) {
|
|
|
|
|
proto_tree *plain_tree = NULL;
|
|
|
|
|
guint plain_len = tvb_reported_length(plain_tvb);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The LDAP message wasn't encrypted in the packet;
|
|
|
|
|
* dissect the plain LDAP message.
|
|
|
|
|
*/
|
|
|
|
|
col_set_str(pinfo->cinfo, COL_INFO, "SASL GSS-API Integrity: ");
|
|
|
|
|
|
|
|
|
|
if (sasl_tree) {
|
|
|
|
|
plain_tree = proto_tree_add_subtree_format(sasl_tree, plain_tvb, 0, -1,
|
|
|
|
|
ett_ldap_payload, NULL, "GSS-API payload (%d byte%s)",
|
|
|
|
|
plain_len, plurality(plain_len, "", "s"));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dissect_ldap_payload(plain_tvb, pinfo, plain_tree, ldap_info, is_mscldap);
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* The LDAP message was encrypted in the packet, and was
|
|
|
|
|
* not decrypted; just show it as encrypted data.
|
|
|
|
|
*/
|
|
|
|
|
col_add_fstr(pinfo->cinfo, COL_INFO, "SASL GSS-API Privacy: payload (%d byte%s)",
|
|
|
|
|
sasl_len - ver_len,
|
|
|
|
|
plurality(sasl_len - ver_len, "", "s"));
|
|
|
|
|
|
|
|
|
|
proto_tree_add_item(sasl_tree, hf_ldap_gssapi_encrypted_payload, gssapi_tvb, ver_len, -1, ENC_NA);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* plain LDAP, so dissect the payload */
|
|
|
|
|
dissect_ldap_payload(tvb, pinfo, ldap_tree, ldap_info, is_mscldap);
|
|
|
|
|
}
|
2005-12-09 16:46:24 +00:00
|
|
|
}
|
2006-05-08 17:52:42 +00:00
|
|
|
|
2011-02-23 00:51:02 +00:00
|
|
|
/*
|
|
|
|
|
* prepend_dot is no longer used, but is being left in place in order to
|
|
|
|
|
* maintain ABI compatibility.
|
|
|
|
|
*/
|
|
|
|
|
int dissect_mscldap_string(tvbuff_t *tvb, int offset, char *str, int max_len, gboolean prepend_dot _U_)
|
2006-05-08 17:52:42 +00:00
|
|
|
{
|
2011-02-23 00:51:02 +00:00
|
|
|
int compr_len;
|
|
|
|
|
const guchar *name;
|
2017-01-04 14:53:56 +00:00
|
|
|
guint name_len;
|
2006-05-08 17:52:42 +00:00
|
|
|
|
2011-02-23 00:51:02 +00:00
|
|
|
/* The name data MUST start at offset 0 of the tvb */
|
2017-01-04 14:53:56 +00:00
|
|
|
compr_len = get_dns_name(tvb, offset, max_len, 0, &name, &name_len);
|
2017-01-19 21:34:26 +00:00
|
|
|
g_strlcpy(str, name, max_len);
|
2011-02-23 00:51:02 +00:00
|
|
|
return offset + compr_len;
|
2006-05-08 17:52:42 +00:00
|
|
|
}
|
|
|
|
|
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
/* These are the cldap DC flags
|
2008-08-06 06:53:04 +00:00
|
|
|
http://msdn.microsoft.com/en-us/library/cc201036.aspx
|
2006-05-08 17:52:42 +00:00
|
|
|
*/
|
|
|
|
|
static const true_false_string tfs_ads_pdc = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"This is a PDC",
|
|
|
|
|
"This is NOT a pdc"
|
2006-05-08 17:52:42 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_gc = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"This is a GLOBAL CATALOGUE of forest",
|
|
|
|
|
"This is NOT a global catalog of forest"
|
2006-05-08 17:52:42 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_ldap = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"This is an LDAP server",
|
|
|
|
|
"This is NOT an ldap server"
|
2006-05-08 17:52:42 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_ds = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"This dc supports DS",
|
|
|
|
|
"This dc does NOT support ds"
|
2006-05-08 17:52:42 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_kdc = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"This is a KDC (kerberos)",
|
|
|
|
|
"This is NOT a kdc (kerberos)"
|
2006-05-08 17:52:42 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_timeserv = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"This dc is running TIME SERVICES (ntp)",
|
|
|
|
|
"This dc is NOT running time services (ntp)"
|
2006-05-08 17:52:42 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_closest = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"This server is in the same site as the client",
|
|
|
|
|
"This server is NOT in the same site as the client"
|
2006-05-08 17:52:42 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_writable = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"This dc is WRITABLE",
|
|
|
|
|
"This dc is NOT writable"
|
2006-05-08 17:52:42 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_good_timeserv = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"This dc has a GOOD TIME SERVICE (i.e. hardware clock)",
|
|
|
|
|
"This dc does NOT have a good time service (i.e. no hardware clock)"
|
2006-05-08 17:52:42 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_ndnc = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Domain is NON-DOMAIN NC serviced by ldap server",
|
|
|
|
|
"Domain is NOT non-domain nc serviced by ldap server"
|
2006-05-08 17:52:42 +00:00
|
|
|
};
|
2008-08-06 06:53:04 +00:00
|
|
|
static const true_false_string tfs_ads_rodc = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Domain controller is a Windows 2008 RODC",
|
|
|
|
|
"Domain controller is not a Windows 2008 RODC"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_wdc = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Domain controller is a Windows 2008 writable NC",
|
|
|
|
|
"Domain controller is not a Windows 2008 writable NC"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_dns = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"Server name is in DNS format (Windows 2008)",
|
|
|
|
|
"Server name is not in DNS format (Windows 2008)"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_dnc = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"The NC is the default NC (Windows 2008)",
|
|
|
|
|
"The NC is not the default NC (Windows 2008)"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
|
|
|
|
static const true_false_string tfs_ads_fnc = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"The NC is the default forest NC(Windows 2008)",
|
|
|
|
|
"The NC is not the default forest NC (Windows 2008)"
|
2008-08-06 06:53:04 +00:00
|
|
|
};
|
2006-05-08 17:52:42 +00:00
|
|
|
static int dissect_mscldap_netlogon_flags(proto_tree *parent_tree, tvbuff_t *tvb, int offset)
|
|
|
|
|
{
|
2015-04-22 11:57:37 +00:00
|
|
|
static const int * flags[] = {
|
|
|
|
|
&hf_mscldap_netlogon_flags_fnc,
|
|
|
|
|
&hf_mscldap_netlogon_flags_dnc,
|
|
|
|
|
&hf_mscldap_netlogon_flags_dns,
|
|
|
|
|
&hf_mscldap_netlogon_flags_wdc,
|
|
|
|
|
&hf_mscldap_netlogon_flags_rodc,
|
|
|
|
|
&hf_mscldap_netlogon_flags_ndnc,
|
|
|
|
|
&hf_mscldap_netlogon_flags_good_timeserv,
|
|
|
|
|
&hf_mscldap_netlogon_flags_writable,
|
|
|
|
|
&hf_mscldap_netlogon_flags_closest,
|
|
|
|
|
&hf_mscldap_netlogon_flags_timeserv,
|
|
|
|
|
&hf_mscldap_netlogon_flags_kdc,
|
|
|
|
|
&hf_mscldap_netlogon_flags_ds,
|
|
|
|
|
&hf_mscldap_netlogon_flags_ldap,
|
|
|
|
|
&hf_mscldap_netlogon_flags_gc,
|
|
|
|
|
&hf_mscldap_netlogon_flags_pdc,
|
|
|
|
|
NULL
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
proto_tree_add_bitmask_with_flags(parent_tree, tvb, offset, hf_mscldap_netlogon_flags,
|
|
|
|
|
ett_mscldap_netlogon_flags, flags, ENC_LITTLE_ENDIAN, BMT_NO_FALSE);
|
2006-05-08 17:52:42 +00:00
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
|
|
return offset;
|
|
|
|
|
}
|
|
|
|
|
|
2015-11-24 23:03:04 +00:00
|
|
|
static int dissect_NetLogon_PDU(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)
|
2006-05-08 17:52:42 +00:00
|
|
|
{
|
|
|
|
|
int old_offset, offset=0;
|
|
|
|
|
char str[256];
|
2008-08-06 06:53:04 +00:00
|
|
|
guint16 itype;
|
|
|
|
|
guint16 len;
|
|
|
|
|
guint32 version;
|
|
|
|
|
const char *fn;
|
|
|
|
|
int fn_len;
|
|
|
|
|
guint16 bc;
|
|
|
|
|
proto_item *item;
|
2006-05-08 17:52:42 +00:00
|
|
|
|
2006-06-28 22:07:23 +00:00
|
|
|
ldm_tree = NULL;
|
|
|
|
|
|
2006-05-08 17:52:42 +00:00
|
|
|
|
2008-08-06 06:53:04 +00:00
|
|
|
/* Get the length of the buffer */
|
2014-06-21 00:36:59 +00:00
|
|
|
len=tvb_reported_length_remaining(tvb,offset);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
|
|
|
|
/* check the len if it is to small return */
|
2015-11-24 23:03:04 +00:00
|
|
|
if (len < 10)
|
|
|
|
|
return tvb_captured_length(tvb);
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2006-05-08 17:52:42 +00:00
|
|
|
/* Type */
|
2011-01-06 22:24:10 +00:00
|
|
|
proto_tree_add_item(tree, hf_mscldap_netlogon_opcode, tvb, offset, 2, ENC_LITTLE_ENDIAN);
|
2008-08-06 06:53:04 +00:00
|
|
|
itype = tvb_get_letohs(tvb, offset);
|
2011-01-06 22:24:10 +00:00
|
|
|
offset += 2;
|
2008-08-06 06:53:04 +00:00
|
|
|
|
|
|
|
|
switch(itype){
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
case LOGON_SAM_LOGON_RESPONSE:
|
2014-09-14 00:10:49 +00:00
|
|
|
bc = tvb_reported_length_remaining(tvb, offset);
|
2014-09-13 23:49:50 +00:00
|
|
|
/* logon server name */
|
|
|
|
|
fn = get_unicode_or_ascii_string(tvb,&offset,TRUE,&fn_len,FALSE,FALSE,&bc);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_nb_hostname, tvb,offset, fn_len, fn);
|
|
|
|
|
offset +=fn_len;
|
|
|
|
|
|
|
|
|
|
/* username */
|
|
|
|
|
fn = get_unicode_or_ascii_string(tvb,&offset,TRUE,&fn_len,FALSE,FALSE,&bc);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_username, tvb,offset, fn_len, fn);
|
|
|
|
|
offset +=fn_len;
|
|
|
|
|
|
|
|
|
|
/* domain name */
|
|
|
|
|
fn = get_unicode_or_ascii_string(tvb,&offset,TRUE,&fn_len,FALSE,FALSE,&bc);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_nb_domain, tvb,offset, fn_len, fn);
|
|
|
|
|
offset +=fn_len;
|
|
|
|
|
|
2014-09-14 00:10:49 +00:00
|
|
|
/* get the version number from the end of the buffer, as the
|
|
|
|
|
length is variable and the version determines what fields
|
|
|
|
|
need to be decoded */
|
|
|
|
|
version = tvb_get_letohl(tvb,len-8);
|
|
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* include the extra version 5 fields */
|
|
|
|
|
if ((version & NETLOGON_NT_VERSION_5) == NETLOGON_NT_VERSION_5){
|
|
|
|
|
|
|
|
|
|
/* domain guid */
|
|
|
|
|
proto_tree_add_item(tree, hf_mscldap_domain_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
|
|
|
|
|
offset += 16;
|
|
|
|
|
|
|
|
|
|
/* domain guid part 2
|
|
|
|
|
there is another 16 byte guid but this is alway zero, so we will skip it */
|
|
|
|
|
offset += 16;
|
|
|
|
|
|
|
|
|
|
/* Forest */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_forest, tvb, old_offset, offset-old_offset, str);
|
|
|
|
|
|
|
|
|
|
/* Domain */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_domain, tvb, old_offset, offset-old_offset, str);
|
|
|
|
|
|
|
|
|
|
/* Hostname */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_hostname, tvb, old_offset, offset-old_offset, str);
|
|
|
|
|
|
|
|
|
|
/* DC IP Address */
|
2017-05-16 18:48:34 +00:00
|
|
|
proto_tree_add_item(tree, hf_mscldap_netlogon_ipaddress, tvb, offset, 4, ENC_BIG_ENDIAN);
|
2014-09-13 23:49:50 +00:00
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
|
|
/* Flags */
|
|
|
|
|
offset = dissect_mscldap_netlogon_flags(tree, tvb, offset);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
}
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
break;
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
case LOGON_SAM_LOGON_RESPONSE_EX:
|
|
|
|
|
/* MS-ADTS 7.3.1.9 */
|
|
|
|
|
offset += 2; /* Skip over "Sbz" field (MUST be set to 0) */
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* Flags */
|
|
|
|
|
offset = dissect_mscldap_netlogon_flags(tree, tvb, offset);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* Domain GUID */
|
|
|
|
|
proto_tree_add_item(tree, hf_mscldap_domain_guid, tvb, offset, 16, ENC_LITTLE_ENDIAN);
|
|
|
|
|
offset += 16;
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* Forest */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_forest, tvb, old_offset, offset-old_offset, str);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* Domain */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_domain, tvb, old_offset, offset-old_offset, str);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* Hostname */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_hostname, tvb, old_offset, offset-old_offset, str);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* NetBIOS Domain */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_nb_domain, tvb, old_offset, offset-old_offset, str);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* NetBIOS Hostname */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_nb_hostname, tvb, old_offset, offset-old_offset, str);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* User */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_username, tvb, old_offset, offset-old_offset, str);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* Server Site */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_sitename, tvb, old_offset, offset-old_offset, str);
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* Client Site */
|
|
|
|
|
old_offset=offset;
|
|
|
|
|
offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
|
|
|
|
|
proto_tree_add_string(tree, hf_mscldap_clientsitename, tvb, old_offset, offset-old_offset, str);
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2014-09-14 00:10:49 +00:00
|
|
|
/* get the version number from the end of the buffer, as the
|
|
|
|
|
length is variable and the version determines what fields
|
|
|
|
|
need to be decoded */
|
|
|
|
|
version = tvb_get_letohl(tvb,len-8);
|
|
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* include the extra fields for version 5 with IP s */
|
|
|
|
|
if ((version & NETLOGON_NT_VERSION_5EX_WITH_IP) == NETLOGON_NT_VERSION_5EX_WITH_IP){
|
|
|
|
|
/* The ip address is returned as a sockaddr_in structure
|
|
|
|
|
*
|
|
|
|
|
* This section may need to be updated if the base Windows APIs
|
|
|
|
|
* are changed to support ipv6, which currently is not the case.
|
|
|
|
|
*
|
|
|
|
|
* The desector assumes the length is based on ipv4 and
|
|
|
|
|
* ignores the length
|
|
|
|
|
*/
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* skip the length of the sockaddr_in */
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
offset +=1;
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* add IP address and desect the sockaddr_in structure */
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
old_offset = offset + 4;
|
2017-05-16 18:48:34 +00:00
|
|
|
item = proto_tree_add_item(tree, hf_mscldap_netlogon_ipaddress, tvb, old_offset, 4, ENC_BIG_ENDIAN);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
if (tree){
|
|
|
|
|
proto_tree *subtree;
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
subtree = proto_item_add_subtree(item, ett_mscldap_ipdetails);
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* get sockaddr family */
|
|
|
|
|
proto_tree_add_item(subtree, hf_mscldap_netlogon_ipaddress_family, tvb, offset, 2, ENC_LITTLE_ENDIAN);
|
|
|
|
|
offset +=2;
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* get sockaddr port */
|
|
|
|
|
proto_tree_add_item(subtree, hf_mscldap_netlogon_ipaddress_port, tvb, offset, 2, ENC_LITTLE_ENDIAN);
|
|
|
|
|
offset +=2;
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* get IP address */
|
2017-05-16 18:48:34 +00:00
|
|
|
proto_tree_add_item(subtree, hf_mscldap_netlogon_ipaddress_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN);
|
2014-09-13 23:49:50 +00:00
|
|
|
offset +=4;
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
/* skip the 8 bytes of zeros in the sockaddr structure */
|
|
|
|
|
offset += 8;
|
|
|
|
|
}
|
2006-05-08 17:52:42 +00:00
|
|
|
|
2014-09-13 23:49:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
break;
|
2009-10-09 21:41:06 +00:00
|
|
|
}
|
2008-08-06 06:53:04 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
/* complete the decode with the version and token details */
|
2006-06-28 22:07:23 +00:00
|
|
|
|
2008-08-06 06:53:04 +00:00
|
|
|
offset = len-8;
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2011-01-06 18:50:39 +00:00
|
|
|
/* NETLOGON_NT_VERISON Options (MS-ADTS 7.3.1.1) */
|
|
|
|
|
offset = dissect_mscldap_ntver_flags(tree, tvb, offset);
|
2006-05-08 17:52:42 +00:00
|
|
|
|
|
|
|
|
/* LM Token */
|
2011-10-06 16:50:13 +00:00
|
|
|
proto_tree_add_item(tree, hf_mscldap_netlogon_lm_token, tvb, offset, 2, ENC_LITTLE_ENDIAN);
|
2006-05-08 17:52:42 +00:00
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
|
|
/* NT Token */
|
2011-10-06 16:50:13 +00:00
|
|
|
proto_tree_add_item(tree, hf_mscldap_netlogon_nt_token, tvb, offset, 2, ENC_LITTLE_ENDIAN);
|
2006-05-08 17:52:42 +00:00
|
|
|
|
2015-11-24 23:03:04 +00:00
|
|
|
return tvb_captured_length(tvb);
|
2006-05-08 17:52:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2006-06-28 22:07:23 +00:00
|
|
|
static guint
|
2015-01-25 19:30:13 +00:00
|
|
|
get_sasl_ldap_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb,
|
|
|
|
|
int offset, void *data _U_)
|
2006-06-14 11:51:25 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
/* sasl encapsulated ldap is 4 bytes plus the length in size */
|
|
|
|
|
return tvb_get_ntohl(tvb, offset)+4;
|
2006-06-14 11:51:25 +00:00
|
|
|
}
|
|
|
|
|
|
2013-11-09 17:46:28 +00:00
|
|
|
static int
|
|
|
|
|
dissect_sasl_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
|
2006-06-14 11:51:25 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
dissect_ldap_pdu(tvb, pinfo, tree, FALSE);
|
|
|
|
|
return tvb_captured_length(tvb);
|
2006-06-14 11:51:25 +00:00
|
|
|
}
|
|
|
|
|
|
2006-06-28 22:07:23 +00:00
|
|
|
static guint
|
2015-01-25 19:30:13 +00:00
|
|
|
get_normal_ldap_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb,
|
|
|
|
|
int offset, void *data _U_)
|
2006-06-14 11:51:25 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
guint32 len;
|
|
|
|
|
gboolean ind;
|
|
|
|
|
int data_offset;
|
|
|
|
|
|
|
|
|
|
/* normal ldap is tag+len bytes plus the length
|
|
|
|
|
* offset is where the tag is
|
|
|
|
|
* offset+1 is where length starts
|
|
|
|
|
*/
|
|
|
|
|
data_offset=get_ber_length(tvb, offset+1, &len, &ind);
|
|
|
|
|
return len+data_offset-offset;
|
2006-06-14 11:51:25 +00:00
|
|
|
}
|
|
|
|
|
|
2013-11-09 17:46:28 +00:00
|
|
|
static int
|
|
|
|
|
dissect_normal_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
|
2006-06-14 11:51:25 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
dissect_ldap_pdu(tvb, pinfo, tree, FALSE);
|
|
|
|
|
return tvb_captured_length(tvb);
|
2006-06-14 11:51:25 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-24 23:03:04 +00:00
|
|
|
static int
|
|
|
|
|
dissect_ldap_oid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)
|
2006-08-06 14:04:07 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
char *oid;
|
|
|
|
|
const char *oidname;
|
2006-08-06 14:04:07 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
/* tvb here contains an ascii string that is really an oid */
|
2017-02-07 20:16:37 +00:00
|
|
|
/* XXX we should convert the string oid into a real oid so we can use
|
|
|
|
|
* proto_tree_add_oid() instead.
|
|
|
|
|
*/
|
2006-08-06 14:04:07 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
oid=tvb_get_string_enc(wmem_packet_scope(), tvb, 0, tvb_reported_length(tvb), ENC_UTF_8|ENC_NA);
|
|
|
|
|
if(!oid){
|
|
|
|
|
return tvb_captured_length(tvb);
|
|
|
|
|
}
|
2006-08-06 14:04:07 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
oidname=oid_resolved_from_string(wmem_packet_scope(), oid);
|
2006-08-06 14:04:07 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
if(oidname){
|
|
|
|
|
proto_tree_add_string_format_value(tree, hf_ldap_oid, tvb, 0, tvb_reported_length(tvb), oid, "%s (%s)",oid,oidname);
|
|
|
|
|
} else {
|
|
|
|
|
proto_tree_add_string(tree, hf_ldap_oid, tvb, 0, tvb_captured_length(tvb), oid);
|
|
|
|
|
}
|
|
|
|
|
return tvb_captured_length(tvb);
|
2006-08-06 14:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
#define LDAP_ACCESSMASK_ADS_CREATE_CHILD 0x00000001
|
|
|
|
|
#define LDAP_ACCESSMASK_ADS_DELETE_CHILD 0x00000002
|
|
|
|
|
#define LDAP_ACCESSMASK_ADS_LIST 0x00000004
|
|
|
|
|
#define LDAP_ACCESSMASK_ADS_SELF_WRITE 0x00000008
|
|
|
|
|
#define LDAP_ACCESSMASK_ADS_READ_PROP 0x00000010
|
|
|
|
|
#define LDAP_ACCESSMASK_ADS_WRITE_PROP 0x00000020
|
|
|
|
|
#define LDAP_ACCESSMASK_ADS_DELETE_TREE 0x00000040
|
|
|
|
|
#define LDAP_ACCESSMASK_ADS_LIST_OBJECT 0x00000080
|
|
|
|
|
#define LDAP_ACCESSMASK_ADS_CONTROL_ACCESS 0x00000100
|
2006-08-11 07:59:58 +00:00
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
ldap_specific_rights(tvbuff_t *tvb, gint offset, proto_tree *tree, guint32 access)
|
|
|
|
|
{
|
2016-06-15 03:17:25 +00:00
|
|
|
static const int * access_flags[] = {
|
|
|
|
|
&hf_ldap_AccessMask_ADS_CONTROL_ACCESS,
|
|
|
|
|
&hf_ldap_AccessMask_ADS_LIST_OBJECT,
|
|
|
|
|
&hf_ldap_AccessMask_ADS_DELETE_TREE,
|
|
|
|
|
&hf_ldap_AccessMask_ADS_WRITE_PROP,
|
|
|
|
|
&hf_ldap_AccessMask_ADS_READ_PROP,
|
|
|
|
|
&hf_ldap_AccessMask_ADS_SELF_WRITE,
|
|
|
|
|
&hf_ldap_AccessMask_ADS_LIST,
|
|
|
|
|
&hf_ldap_AccessMask_ADS_DELETE_CHILD,
|
|
|
|
|
&hf_ldap_AccessMask_ADS_CREATE_CHILD,
|
|
|
|
|
NULL
|
|
|
|
|
};
|
2006-08-11 07:59:58 +00:00
|
|
|
|
2016-06-15 03:17:25 +00:00
|
|
|
proto_tree_add_bitmask_list_value(tree, tvb, offset, 4, access_flags, access);
|
2006-08-11 07:59:58 +00:00
|
|
|
}
|
|
|
|
|
struct access_mask_info ldap_access_mask_info = {
|
2015-11-27 22:06:01 +00:00
|
|
|
"LDAP", /* Name of specific rights */
|
|
|
|
|
ldap_specific_rights, /* Dissection function */
|
|
|
|
|
NULL, /* Generic mapping table */
|
|
|
|
|
NULL /* Standard mapping table */
|
2006-08-11 07:59:58 +00:00
|
|
|
};
|
|
|
|
|
|
2015-11-24 23:03:04 +00:00
|
|
|
static int
|
|
|
|
|
dissect_ldap_nt_sec_desc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
|
2006-08-07 10:29:39 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
dissect_nt_sec_desc(tvb, 0, pinfo, tree, NULL, TRUE, tvb_reported_length(tvb), &ldap_access_mask_info);
|
|
|
|
|
return tvb_captured_length(tvb);
|
2006-08-07 10:29:39 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-24 23:03:04 +00:00
|
|
|
static int
|
|
|
|
|
dissect_ldap_sid(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void* data _U_)
|
2006-08-07 10:19:37 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
char *tmpstr;
|
2006-08-07 10:19:37 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
/* this octet string contains an NT SID */
|
|
|
|
|
dissect_nt_sid(tvb, 0, tree, "SID", &tmpstr, hf_ldap_sid);
|
|
|
|
|
ldapvalue_string=tmpstr;
|
|
|
|
|
return tvb_captured_length(tvb);
|
2006-08-07 10:19:37 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-24 23:03:04 +00:00
|
|
|
static int
|
|
|
|
|
dissect_ldap_guid(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
|
2006-08-06 13:13:42 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
|
|
|
|
|
e_guid_t uuid;
|
|
|
|
|
|
|
|
|
|
/* This octet string contained a GUID */
|
|
|
|
|
dissect_dcerpc_uuid_t(tvb, 0, pinfo, tree, drep, hf_ldap_guid, &uuid);
|
|
|
|
|
|
|
|
|
|
ldapvalue_string=(char*)wmem_alloc(wmem_packet_scope(), 1024);
|
|
|
|
|
g_snprintf(ldapvalue_string, 1023, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
|
|
|
|
|
uuid.data1, uuid.data2, uuid.data3, uuid.data4[0], uuid.data4[1],
|
|
|
|
|
uuid.data4[2], uuid.data4[3], uuid.data4[4], uuid.data4[5],
|
|
|
|
|
uuid.data4[6], uuid.data4[7]);
|
|
|
|
|
return tvb_captured_length(tvb);
|
2006-08-06 13:13:42 +00:00
|
|
|
}
|
2006-06-14 11:51:25 +00:00
|
|
|
|
2013-11-09 17:46:28 +00:00
|
|
|
static int
|
|
|
|
|
dissect_ldap_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
|
2005-12-09 16:46:24 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
guint32 sasl_len;
|
|
|
|
|
guint32 ldap_len;
|
|
|
|
|
gboolean ind;
|
|
|
|
|
conversation_t *conversation;
|
|
|
|
|
ldap_conv_info_t *ldap_info = NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Do we have a conversation for this connection?
|
|
|
|
|
*/
|
2017-10-28 13:58:28 +00:00
|
|
|
conversation = find_conversation_pinfo(pinfo, 0);
|
2015-11-27 22:06:01 +00:00
|
|
|
if(conversation){
|
|
|
|
|
ldap_info = (ldap_conv_info_t *)conversation_get_proto_data(conversation, proto_ldap);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ldm_tree = NULL;
|
|
|
|
|
|
|
|
|
|
/* This is a bit tricky. We have to find out whether SASL is used
|
|
|
|
|
* so that we know how big a header we are supposed to pass
|
|
|
|
|
* to tcp_dissect_pdus()
|
|
|
|
|
* We must also cope with the case when a client connects to LDAP
|
|
|
|
|
* and performs a few unauthenticated searches of LDAP before
|
|
|
|
|
* it performs the bind on the same tcp connection.
|
|
|
|
|
*/
|
|
|
|
|
/* check for a SASL header, i.e. assume it is SASL if
|
|
|
|
|
* 1, first four bytes (SASL length) is an integer
|
|
|
|
|
* with a value that must be <LDAP_SASL_MAX_BUF and >2
|
|
|
|
|
* (>2 to fight false positives, 0x00000000 is a common
|
|
|
|
|
* "random" tcp payload)
|
|
|
|
|
* (SASL ldap PDUs might be >64k in size, which is why
|
|
|
|
|
* LDAP_SASL_MAX_BUF is used - defined in packet-ldap.h)
|
|
|
|
|
*
|
|
|
|
|
* 2, we must have a conversation and the auth type must
|
|
|
|
|
* be LDAP_AUTH_SASL
|
|
|
|
|
*/
|
|
|
|
|
sasl_len=tvb_get_ntohl(tvb, 0);
|
|
|
|
|
|
|
|
|
|
if( sasl_len<2 ){
|
|
|
|
|
goto this_was_not_sasl;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if( sasl_len>LDAP_SASL_MAX_BUF ){
|
|
|
|
|
goto this_was_not_sasl;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if((!ldap_info) || (ldap_info->auth_type!=LDAP_AUTH_SASL) ){
|
|
|
|
|
goto this_was_not_sasl;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tcp_dissect_pdus(tvb, pinfo, tree, ldap_desegment, 4, get_sasl_ldap_pdu_len, dissect_sasl_ldap_pdu, data);
|
|
|
|
|
return tvb_captured_length(tvb);
|
2006-08-20 06:00:16 +00:00
|
|
|
|
|
|
|
|
this_was_not_sasl:
|
2015-11-27 22:06:01 +00:00
|
|
|
/* check if it is a normal BER encoded LDAP packet
|
|
|
|
|
* i.e. first byte is 0x30 followed by a length that is
|
|
|
|
|
* <64k
|
|
|
|
|
* (no ldap PDUs are ever >64kb? )
|
|
|
|
|
*/
|
|
|
|
|
if(tvb_get_guint8(tvb, 0)!=0x30){
|
|
|
|
|
goto this_was_not_normal_ldap;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* check that length makes sense */
|
|
|
|
|
get_ber_length(tvb, 1, &ldap_len, &ind);
|
|
|
|
|
|
|
|
|
|
/* don't check ind since indefinite length is never used for ldap (famous last words)*/
|
|
|
|
|
if(ldap_len<2){
|
|
|
|
|
goto this_was_not_normal_ldap;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The minimun size of a LDAP pdu is 7 bytes
|
|
|
|
|
*
|
|
|
|
|
* dumpasn1 -hh ldap-unbind-min.dat
|
|
|
|
|
*
|
|
|
|
|
* <30 05 02 01 09 42 00>
|
|
|
|
|
* 0 5: SEQUENCE {
|
|
|
|
|
* <02 01 09>
|
|
|
|
|
* 2 1: INTEGER 9
|
|
|
|
|
* <42 00>
|
|
|
|
|
* 5 0: [APPLICATION 2]
|
|
|
|
|
* : Error: Object has zero length.
|
|
|
|
|
* : }
|
|
|
|
|
*
|
|
|
|
|
* dumpasn1 -hh ldap-unbind-windows.dat
|
|
|
|
|
*
|
|
|
|
|
* <30 84 00 00 00 05 02 01 09 42 00>
|
|
|
|
|
* 0 5: SEQUENCE {
|
|
|
|
|
* <02 01 09>
|
|
|
|
|
* 6 1: INTEGER 9
|
|
|
|
|
* <42 00>
|
|
|
|
|
* 9 0: [APPLICATION 2]
|
|
|
|
|
* : Error: Object has zero length.
|
|
|
|
|
* : }
|
|
|
|
|
*
|
|
|
|
|
* 6 bytes would also be ok to get the full length of
|
|
|
|
|
* the pdu, but as the smallest pdu can be 7 bytes
|
|
|
|
|
* we can use 7.
|
|
|
|
|
*/
|
|
|
|
|
tcp_dissect_pdus(tvb, pinfo, tree, ldap_desegment, 7, get_normal_ldap_pdu_len, dissect_normal_ldap_pdu, data);
|
|
|
|
|
|
|
|
|
|
goto end;
|
2006-08-20 06:00:16 +00:00
|
|
|
|
|
|
|
|
this_was_not_normal_ldap:
|
|
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
/* Ok it might be a strange case of SASL still
|
|
|
|
|
* It has been seen with Exchange setup to MS AD
|
|
|
|
|
* when Exchange pretend that there is SASL but in fact data are still
|
|
|
|
|
* in clear*/
|
|
|
|
|
if ((sasl_len + 4) == (guint32)tvb_reported_length_remaining(tvb, 0))
|
|
|
|
|
tcp_dissect_pdus(tvb, pinfo, tree, ldap_desegment, 4, get_sasl_ldap_pdu_len, dissect_sasl_ldap_pdu, data);
|
2008-01-13 14:12:47 +00:00
|
|
|
end:
|
2015-11-27 22:06:01 +00:00
|
|
|
return tvb_captured_length(tvb);
|
2005-12-09 16:46:24 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-24 23:03:04 +00:00
|
|
|
static int
|
|
|
|
|
dissect_mscldap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
|
2005-12-09 16:46:24 +00:00
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
dissect_ldap_pdu(tvb, pinfo, tree, TRUE);
|
|
|
|
|
return tvb_captured_length(tvb);
|
2005-12-09 16:46:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*--- proto_register_ldap -------------------------------------------*/
|
|
|
|
|
void proto_register_ldap(void) {
|
|
|
|
|
|
|
|
|
|
/* List of fields */
|
|
|
|
|
|
|
|
|
|
static hf_register_info hf[] = {
|
|
|
|
|
|
2009-06-22 05:35:47 +00:00
|
|
|
{ &hf_ldap_sasl_buffer_length,
|
|
|
|
|
{ "SASL Buffer Length", "ldap.sasl_buffer_length",
|
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
|
NULL, HFILL }},
|
|
|
|
|
{ &hf_ldap_response_in,
|
|
|
|
|
{ "Response In", "ldap.response_in",
|
2009-07-07 09:02:59 +00:00
|
|
|
FT_FRAMENUM, BASE_NONE, NULL, 0x0,
|
2009-06-22 05:35:47 +00:00
|
|
|
"The response to this LDAP request is in this frame", HFILL }},
|
|
|
|
|
{ &hf_ldap_response_to,
|
|
|
|
|
{ "Response To", "ldap.response_to",
|
2009-07-07 09:02:59 +00:00
|
|
|
FT_FRAMENUM, BASE_NONE, NULL, 0x0,
|
2009-06-22 05:35:47 +00:00
|
|
|
"This is a response to the LDAP request in this frame", HFILL }},
|
|
|
|
|
{ &hf_ldap_time,
|
|
|
|
|
{ "Time", "ldap.time",
|
|
|
|
|
FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
|
|
|
|
|
"The time between the Call and the Reply", HFILL }},
|
2006-05-08 17:52:42 +00:00
|
|
|
|
2011-01-06 22:24:10 +00:00
|
|
|
{ &hf_mscldap_netlogon_opcode,
|
|
|
|
|
{ "Operation code", "mscldap.netlogon.opcode",
|
|
|
|
|
FT_UINT16, BASE_DEC, VALS(netlogon_opcode_vals), 0x0,
|
|
|
|
|
"LDAP ping operation code", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
2008-08-06 06:53:04 +00:00
|
|
|
{ &hf_mscldap_netlogon_ipaddress_family,
|
|
|
|
|
{ "Family", "mscldap.netlogon.ipaddress.family",
|
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
2009-06-22 05:35:47 +00:00
|
|
|
NULL, HFILL }},
|
2008-08-06 06:53:04 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_ipaddress_ipv4,
|
|
|
|
|
{ "IPv4", "mscldap.netlogon.ipaddress.ipv4",
|
2009-07-05 11:49:36 +00:00
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
2008-08-06 06:53:04 +00:00
|
|
|
"IP Address", HFILL }},
|
|
|
|
|
|
2009-06-22 05:35:47 +00:00
|
|
|
{ &hf_mscldap_netlogon_ipaddress_port,
|
2008-08-06 06:53:04 +00:00
|
|
|
{ "Port", "mscldap.netlogon.ipaddress.port",
|
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
2009-06-22 05:35:47 +00:00
|
|
|
NULL, HFILL }},
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2009-06-22 05:35:47 +00:00
|
|
|
{ &hf_mscldap_netlogon_ipaddress,
|
2008-08-06 06:53:04 +00:00
|
|
|
{ "IP Address","mscldap.netlogon.ipaddress",
|
2009-06-22 05:35:47 +00:00
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
2009-07-05 11:49:36 +00:00
|
|
|
"Domain Controller IP Address", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_lm_token,
|
|
|
|
|
{ "LM Token", "mscldap.netlogon.lm_token",
|
|
|
|
|
FT_UINT16, BASE_HEX, NULL, 0x0,
|
2011-01-06 18:50:39 +00:00
|
|
|
"MUST be set to 0xFFFF", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_nt_token,
|
|
|
|
|
{ "NT Token", "mscldap.netlogon.nt_token",
|
|
|
|
|
FT_UINT16, BASE_HEX, NULL, 0x0,
|
2011-01-06 18:50:39 +00:00
|
|
|
"MUST be set to 0xFFFF", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags,
|
|
|
|
|
{ "Flags", "mscldap.netlogon.flags",
|
|
|
|
|
FT_UINT32, BASE_HEX, NULL, 0x0,
|
|
|
|
|
"Netlogon flags describing the DC properties", HFILL }},
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2009-06-22 05:35:47 +00:00
|
|
|
{ &hf_mscldap_ntver_flags,
|
2011-01-06 18:50:39 +00:00
|
|
|
{ "Version Flags", "mscldap.ntver.flags",
|
2008-08-06 06:53:04 +00:00
|
|
|
FT_UINT32, BASE_HEX, NULL, 0x0,
|
2011-01-06 18:50:39 +00:00
|
|
|
"NETLOGON_NT_VERSION Options Bits", HFILL }},
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2009-06-22 05:35:47 +00:00
|
|
|
{ &hf_mscldap_domain_guid,
|
2006-05-02 05:35:55 +00:00
|
|
|
{ "Domain GUID", "mscldap.domain.guid",
|
2011-01-06 22:24:10 +00:00
|
|
|
FT_GUID, BASE_NONE, NULL, 0x0,
|
|
|
|
|
"Value of the NC's GUID attribute", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_forest,
|
|
|
|
|
{ "Forest", "mscldap.forest",
|
|
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
2011-01-06 22:24:10 +00:00
|
|
|
"DNS name of the forest", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_domain,
|
|
|
|
|
{ "Domain", "mscldap.domain",
|
|
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
2011-01-06 22:24:10 +00:00
|
|
|
"DNS name of the NC", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_hostname,
|
|
|
|
|
{ "Hostname", "mscldap.hostname",
|
|
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
2011-01-06 22:24:10 +00:00
|
|
|
"DNS name of server", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_nb_domain,
|
2011-01-06 18:50:39 +00:00
|
|
|
{ "NetBIOS Domain", "mscldap.nb_domain",
|
2006-05-02 05:35:55 +00:00
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
2011-01-06 22:24:10 +00:00
|
|
|
"NetBIOS name of the NC", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_nb_hostname,
|
2011-01-06 18:50:39 +00:00
|
|
|
{ "NetBIOS Hostname", "mscldap.nb_hostname",
|
2006-05-02 05:35:55 +00:00
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
2011-01-06 22:24:10 +00:00
|
|
|
"NetBIOS name of the server", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_username,
|
2008-08-06 06:53:04 +00:00
|
|
|
{ "Username", "mscldap.username",
|
2006-05-02 05:35:55 +00:00
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
2011-01-06 22:24:10 +00:00
|
|
|
"User specified in client's request", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_sitename,
|
2011-01-06 22:24:10 +00:00
|
|
|
{ "Server Site", "mscldap.sitename",
|
2006-05-02 05:35:55 +00:00
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
2011-01-06 22:24:10 +00:00
|
|
|
"Site name of the server", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_clientsitename,
|
|
|
|
|
{ "Client Site", "mscldap.clientsitename",
|
|
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
2011-01-06 22:24:10 +00:00
|
|
|
"Site name of the client", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
2006-08-07 10:19:37 +00:00
|
|
|
{ &hf_ldap_sid,
|
|
|
|
|
{ "Sid", "ldap.sid",
|
|
|
|
|
FT_STRING, BASE_NONE, NULL, 0x0,
|
2009-06-22 05:35:47 +00:00
|
|
|
NULL, HFILL }},
|
2006-08-07 10:19:37 +00:00
|
|
|
|
2011-01-06 18:08:14 +00:00
|
|
|
{ &hf_mscldap_ntver_flags_v1,
|
|
|
|
|
{ "V1", "mscldap.ntver.searchflags.v1", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ntver_v1), 0x00000001, "See section 7.3.1.1 of MS-ADTS specification", HFILL }},
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2011-01-06 18:08:14 +00:00
|
|
|
{ &hf_mscldap_ntver_flags_v5,
|
|
|
|
|
{ "V5", "mscldap.ntver.searchflags.v5", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ntver_v5), 0x00000002, "See section 7.3.1.1 of MS-ADTS specification", HFILL }},
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2009-06-22 05:35:47 +00:00
|
|
|
{ &hf_mscldap_ntver_flags_v5ex,
|
2008-08-06 06:53:04 +00:00
|
|
|
{ "V5EX", "mscldap.ntver.searchflags.v5ex", FT_BOOLEAN, 32,
|
2011-01-06 18:08:14 +00:00
|
|
|
TFS(&tfs_ntver_v5ex), 0x00000004, "See section 7.3.1.1 of MS-ADTS specification", HFILL }},
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2011-01-06 18:08:14 +00:00
|
|
|
{ &hf_mscldap_ntver_flags_v5ep,
|
|
|
|
|
{ "V5EP", "mscldap.ntver.searchflags.v5ep", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ntver_v5ep), 0x00000008, "See section 7.3.1.1 of MS-ADTS specification", HFILL }},
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2011-01-06 18:08:14 +00:00
|
|
|
{ &hf_mscldap_ntver_flags_vcs,
|
|
|
|
|
{ "VCS", "mscldap.ntver.searchflags.vcs", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ntver_vcs), 0x00000010, "See section 7.3.1.1 of MS-ADTS specification", HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_mscldap_ntver_flags_vnt4,
|
|
|
|
|
{ "VNT4", "mscldap.ntver.searchflags.vnt4", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ntver_vnt4), 0x01000000, "See section 7.3.1.1 of MS-ADTS specification", HFILL }},
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2011-01-06 18:08:14 +00:00
|
|
|
{ &hf_mscldap_ntver_flags_vpdc,
|
|
|
|
|
{ "VPDC", "mscldap.ntver.searchflags.vpdc", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ntver_vpdc), 0x10000000, "See section 7.3.1.1 of MS-ADTS specification", HFILL }},
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2011-01-06 18:08:14 +00:00
|
|
|
{ &hf_mscldap_ntver_flags_vip,
|
|
|
|
|
{ "VIP", "mscldap.ntver.searchflags.vip", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ntver_vip), 0x20000000, "See section 7.3.1.1 of MS-ADTS specification", HFILL }},
|
2008-08-06 06:53:04 +00:00
|
|
|
|
2011-01-06 18:08:14 +00:00
|
|
|
{ &hf_mscldap_ntver_flags_vl,
|
|
|
|
|
{ "VL", "mscldap.ntver.searchflags.vl", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ntver_vl), 0x40000000, "See section 7.3.1.1 of MS-ADTS specification", HFILL }},
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2011-01-06 18:08:14 +00:00
|
|
|
{ &hf_mscldap_ntver_flags_vgc,
|
|
|
|
|
{ "VGC", "mscldap.ntver.searchflags.vgc", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ntver_vgc), 0x80000000, "See section 7.3.1.1 of MS-ADTS specification", HFILL }},
|
2008-08-06 06:53:04 +00:00
|
|
|
|
|
|
|
|
|
2009-06-22 05:35:47 +00:00
|
|
|
{ &hf_mscldap_netlogon_flags_pdc,
|
2006-05-02 05:35:55 +00:00
|
|
|
{ "PDC", "mscldap.netlogon.flags.pdc", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_pdc), 0x00000001, "Is this DC a PDC or not?", HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_gc,
|
|
|
|
|
{ "GC", "mscldap.netlogon.flags.gc", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_gc), 0x00000004, "Does this dc service as a GLOBAL CATALOGUE?", HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_ldap,
|
|
|
|
|
{ "LDAP", "mscldap.netlogon.flags.ldap", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_ldap), 0x00000008, "Does this DC act as an LDAP server?", HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_ds,
|
|
|
|
|
{ "DS", "mscldap.netlogon.flags.ds", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_ds), 0x00000010, "Does this dc provide DS services?", HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_kdc,
|
|
|
|
|
{ "KDC", "mscldap.netlogon.flags.kdc", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_kdc), 0x00000020, "Does this dc act as a KDC?", HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_timeserv,
|
|
|
|
|
{ "Time Serv", "mscldap.netlogon.flags.timeserv", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_timeserv), 0x00000040, "Does this dc provide time services (ntp) ?", HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_closest,
|
|
|
|
|
{ "Closest", "mscldap.netlogon.flags.closest", FT_BOOLEAN, 32,
|
2008-08-06 06:53:04 +00:00
|
|
|
TFS(&tfs_ads_closest), 0x00000080, "Is this the closest dc?", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_writable,
|
|
|
|
|
{ "Writable", "mscldap.netlogon.flags.writable", FT_BOOLEAN, 32,
|
2008-08-06 06:53:04 +00:00
|
|
|
TFS(&tfs_ads_writable), 0x00000100, "Is this dc writable?", HFILL }},
|
2006-05-02 05:35:55 +00:00
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_good_timeserv,
|
|
|
|
|
{ "Good Time Serv", "mscldap.netlogon.flags.good_timeserv", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_good_timeserv), 0x00000200, "Is this a Good Time Server? (i.e. does it have a hardware clock)", HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_ndnc,
|
|
|
|
|
{ "NDNC", "mscldap.netlogon.flags.ndnc", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_ndnc), 0x00000400, "Is this an NDNC dc?", HFILL }},
|
|
|
|
|
|
2009-06-22 05:35:47 +00:00
|
|
|
{ &hf_mscldap_netlogon_flags_rodc,
|
2008-08-06 06:53:04 +00:00
|
|
|
{ "RODC", "mscldap.netlogon.flags.rodc", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_rodc), 0x00000800, "Is this an read only dc?", HFILL }},
|
|
|
|
|
|
2009-06-22 05:35:47 +00:00
|
|
|
{ &hf_mscldap_netlogon_flags_wdc,
|
2018-04-16 13:36:41 +00:00
|
|
|
{ "WDC", "mscldap.netlogon.flags.writabledc", FT_BOOLEAN, 32,
|
2008-08-06 06:53:04 +00:00
|
|
|
TFS(&tfs_ads_wdc), 0x00001000, "Is this an writable dc (Windows 2008)?", HFILL }},
|
|
|
|
|
|
2009-06-22 05:35:47 +00:00
|
|
|
{ &hf_mscldap_netlogon_flags_dns,
|
2008-08-06 06:53:04 +00:00
|
|
|
{ "DNS", "mscldap.netlogon.flags.dnsname", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_dns), 0x20000000, "Does the server have a dns name (Windows 2008)?", HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_dnc,
|
|
|
|
|
{ "DNC", "mscldap.netlogon.flags.defaultnc", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_dnc), 0x40000000, "Is this the default NC (Windows 2008)?", HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_mscldap_netlogon_flags_fnc,
|
|
|
|
|
{ "FDC", "mscldap.netlogon.flags.forestnc", FT_BOOLEAN, 32,
|
|
|
|
|
TFS(&tfs_ads_fnc), 0x80000000, "Is the the NC the default forest root(Windows 2008)?", HFILL }},
|
|
|
|
|
|
2006-07-12 09:02:00 +00:00
|
|
|
{ &hf_ldap_guid,
|
|
|
|
|
{ "GUID", "ldap.guid", FT_GUID, BASE_NONE,
|
2009-06-22 05:35:47 +00:00
|
|
|
NULL, 0, NULL, HFILL }},
|
2006-07-12 09:02:00 +00:00
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
{ &hf_ldap_AccessMask_ADS_CREATE_CHILD,
|
2014-08-08 13:19:29 +00:00
|
|
|
{ "Ads Create Child", "ldap.AccessMask.ADS_CREATE_CHILD", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_CREATE_CHILD, NULL, HFILL }},
|
2006-08-11 07:59:58 +00:00
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
{ &hf_ldap_AccessMask_ADS_DELETE_CHILD,
|
2014-08-08 13:19:29 +00:00
|
|
|
{ "Ads Delete Child", "ldap.AccessMask.ADS_DELETE_CHILD", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_DELETE_CHILD, NULL, HFILL }},
|
2006-08-11 07:59:58 +00:00
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
{ &hf_ldap_AccessMask_ADS_LIST,
|
2014-08-08 13:19:29 +00:00
|
|
|
{ "Ads List", "ldap.AccessMask.ADS_LIST", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_LIST, NULL, HFILL }},
|
2006-08-11 07:59:58 +00:00
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
{ &hf_ldap_AccessMask_ADS_SELF_WRITE,
|
2014-08-08 13:19:29 +00:00
|
|
|
{ "Ads Self Write", "ldap.AccessMask.ADS_SELF_WRITE", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_SELF_WRITE, NULL, HFILL }},
|
2006-08-11 07:59:58 +00:00
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
{ &hf_ldap_AccessMask_ADS_READ_PROP,
|
2014-08-08 13:19:29 +00:00
|
|
|
{ "Ads Read Prop", "ldap.AccessMask.ADS_READ_PROP", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_READ_PROP, NULL, HFILL }},
|
2006-08-11 07:59:58 +00:00
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
{ &hf_ldap_AccessMask_ADS_WRITE_PROP,
|
2014-08-08 13:19:29 +00:00
|
|
|
{ "Ads Write Prop", "ldap.AccessMask.ADS_WRITE_PROP", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_WRITE_PROP, NULL, HFILL }},
|
2006-08-11 07:59:58 +00:00
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
{ &hf_ldap_AccessMask_ADS_DELETE_TREE,
|
2014-08-08 13:19:29 +00:00
|
|
|
{ "Ads Delete Tree", "ldap.AccessMask.ADS_DELETE_TREE", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_DELETE_TREE, NULL, HFILL }},
|
2006-08-11 07:59:58 +00:00
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
{ &hf_ldap_AccessMask_ADS_LIST_OBJECT,
|
2014-08-08 13:19:29 +00:00
|
|
|
{ "Ads List Object", "ldap.AccessMask.ADS_LIST_OBJECT", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_LIST_OBJECT, NULL, HFILL }},
|
2006-08-11 07:59:58 +00:00
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
{ &hf_ldap_AccessMask_ADS_CONTROL_ACCESS,
|
2014-08-08 13:19:29 +00:00
|
|
|
{ "Ads Control Access", "ldap.AccessMask.ADS_CONTROL_ACCESS", FT_BOOLEAN, 32, TFS(&tfs_set_notset), LDAP_ACCESSMASK_ADS_CONTROL_ACCESS, NULL, HFILL }},
|
2006-08-11 07:59:58 +00:00
|
|
|
|
2013-11-08 02:02:43 +00:00
|
|
|
{ &hf_ldap_LDAPMessage_PDU,
|
|
|
|
|
{ "LDAPMessage", "ldap.LDAPMessage_element", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
|
|
|
|
|
|
2014-08-08 13:19:29 +00:00
|
|
|
{ &hf_ldap_object_security_flag,
|
|
|
|
|
{ "Flag Object_Security", "ldap.object_security_flag", FT_BOOLEAN, 32, NULL, 0x00000001, NULL, HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_ldap_ancestor_first_flag,
|
|
|
|
|
{ "Flag Ancestor_First", "ldap.ancestor_first_flag", FT_BOOLEAN, 32, NULL, 0x00000800, NULL, HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_ldap_public_data_only_flag,
|
|
|
|
|
{ "Flag Public_Data_Only", "ldap.public_data_only_flag", FT_BOOLEAN, 32, NULL, 0x00002000, NULL, HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_ldap_incremental_value_flag,
|
|
|
|
|
{ "Flag Incremental_Value", "ldap.incremental_value_flag", FT_BOOLEAN, 32, NULL, 0x80000000, NULL, HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_ldap_oid,
|
|
|
|
|
{ "OID", "ldap.oid", FT_STRING, BASE_NONE,
|
|
|
|
|
NULL, 0, NULL, HFILL }},
|
|
|
|
|
|
|
|
|
|
{ &hf_ldap_gssapi_encrypted_payload,
|
|
|
|
|
{ "GSS-API Encrypted payload", "ldap.gssapi_encrypted_payload", FT_BYTES, BASE_NONE,
|
|
|
|
|
NULL, 0, NULL, HFILL }},
|
|
|
|
|
|
2005-12-09 16:46:24 +00:00
|
|
|
#include "packet-ldap-hfarr.c"
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* List of subtrees */
|
|
|
|
|
static gint *ett[] = {
|
2006-05-08 17:52:42 +00:00
|
|
|
&ett_ldap,
|
|
|
|
|
&ett_ldap_payload,
|
2005-12-09 16:46:24 +00:00
|
|
|
&ett_ldap_sasl_blob,
|
2006-05-08 17:52:42 +00:00
|
|
|
&ett_ldap_msg,
|
2006-05-02 05:35:55 +00:00
|
|
|
&ett_mscldap_netlogon_flags,
|
2011-01-06 18:08:14 +00:00
|
|
|
&ett_mscldap_ntver_flags,
|
|
|
|
|
&ett_mscldap_ipdetails,
|
2015-11-27 22:06:01 +00:00
|
|
|
&ett_ldap_DirSyncFlagsSubEntry,
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
#include "packet-ldap-ettarr.c"
|
|
|
|
|
};
|
2012-03-30 09:08:55 +00:00
|
|
|
/* UAT for header fields */
|
|
|
|
|
static uat_field_t custom_attribute_types_uat_fields[] = {
|
|
|
|
|
UAT_FLD_CSTRING(attribute_types, attribute_type, "Attribute type", "Attribute type"),
|
|
|
|
|
UAT_FLD_CSTRING(attribute_types, attribute_desc, "Description", "Description of the value matching type"),
|
|
|
|
|
UAT_END_FIELDS
|
|
|
|
|
};
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2013-06-03 03:42:36 +00:00
|
|
|
static ei_register_info ei[] = {
|
|
|
|
|
{ &ei_ldap_exceeded_filter_length, { "ldap.exceeded_filter_length", PI_UNDECODED, PI_ERROR, "Filter length exceeds number. Giving up", EXPFILL }},
|
|
|
|
|
{ &ei_ldap_too_many_filter_elements, { "ldap.too_many_filter_elements", PI_UNDECODED, PI_ERROR, "Found more than %%u filter elements. Giving up.", EXPFILL }},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
expert_module_t* expert_ldap;
|
2012-03-30 09:08:55 +00:00
|
|
|
module_t *ldap_module;
|
|
|
|
|
uat_t *attributes_uat;
|
2013-02-26 04:42:26 +00:00
|
|
|
|
2005-12-09 16:46:24 +00:00
|
|
|
/* Register protocol */
|
|
|
|
|
proto_ldap = proto_register_protocol(PNAME, PSNAME, PFNAME);
|
|
|
|
|
/* Register fields and subtrees */
|
|
|
|
|
proto_register_field_array(proto_ldap, hf, array_length(hf));
|
|
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
2013-06-03 03:42:36 +00:00
|
|
|
expert_ldap = expert_register_protocol(proto_ldap);
|
|
|
|
|
expert_register_field_array(expert_ldap, ei, array_length(ei));
|
2006-04-30 07:23:42 +00:00
|
|
|
|
2016-07-01 00:41:45 +00:00
|
|
|
ldap_handle = register_dissector("ldap", dissect_ldap_tcp, proto_ldap);
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2008-01-26 10:12:22 +00:00
|
|
|
ldap_module = prefs_register_protocol(proto_ldap, prefs_register_ldap);
|
2005-12-09 16:46:24 +00:00
|
|
|
prefs_register_bool_preference(ldap_module, "desegment_ldap_messages",
|
|
|
|
|
"Reassemble LDAP messages spanning multiple TCP segments",
|
|
|
|
|
"Whether the LDAP dissector should reassemble messages spanning multiple TCP segments."
|
2008-11-06 19:41:38 +00:00
|
|
|
" To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
|
2005-12-09 16:46:24 +00:00
|
|
|
&ldap_desegment);
|
|
|
|
|
|
2018-09-13 15:40:27 +00:00
|
|
|
prefs_register_uint_preference(ldap_module, "tls.port", "LDAPS TCP Port",
|
|
|
|
|
"Set the port for LDAP operations over TLS",
|
2015-11-27 22:06:01 +00:00
|
|
|
10, &global_ldaps_tcp_port);
|
2018-09-25 16:23:09 +00:00
|
|
|
prefs_register_obsolete_preference(ldap_module, "ssl.port");
|
2012-03-30 09:08:55 +00:00
|
|
|
/* UAT */
|
2012-03-30 12:45:43 +00:00
|
|
|
attributes_uat = uat_new("Custom LDAP AttributeValue types",
|
2012-03-30 09:08:55 +00:00
|
|
|
sizeof(attribute_type_t),
|
|
|
|
|
"custom_ldap_attribute_types",
|
|
|
|
|
TRUE,
|
2014-02-03 10:02:43 +00:00
|
|
|
&attribute_types,
|
2012-03-30 09:08:55 +00:00
|
|
|
&num_attribute_types,
|
UATs could be put into "categories". The categories were defined only
implicitly by the #define name and string they were defined to; not all
UATs neatly fit into any of the categories, so some of them were put
into categories that weren't obviously correct for them, and one - the
display filter macro UAT - wasn't put into any category at all (which
caused crashes when editing them, as the GUI code that handled UAT
changes from a dialog assumed the category field was non-null).
The category was, in practice, used only to decide, in the
aforementioned GUI code, whether the packet summary pane needed to be
updated or not. It also offered no option of "don't update the packet
summary pane *and* don't redissect anything", which is what would be
appropriate for the display filter macro UAT.
Replace the category with a set of fields indicating what the UAT
affects; we currently offer "dissection", which applies to most UATs
(any UAT in libwireshark presumably affects dissection at a minimum) and
"the set of named fields that exist". Changing any UAT that affects
dissection requires a redissection; changing any UAT that affects the
set of named fields that exist requires a redissection *and* rebuilding
the packet summary pane.
Perhaps we also need "filtering", so that if you change a display filter
macro, we re-filter, in case the display is currently filtered with a
display filter that uses a macro that changed.
svn path=/trunk/; revision=43603
2012-07-08 01:00:46 +00:00
|
|
|
/* specifies named fields, so affects dissection
|
|
|
|
|
and the set of named fields */
|
|
|
|
|
UAT_AFFECTS_DISSECTION|UAT_AFFECTS_FIELDS,
|
2012-03-30 09:08:55 +00:00
|
|
|
NULL,
|
|
|
|
|
attribute_types_copy_cb,
|
|
|
|
|
attribute_types_update_cb,
|
|
|
|
|
attribute_types_free_cb,
|
2018-05-30 07:00:16 +00:00
|
|
|
attribute_types_post_update_cb,
|
|
|
|
|
attribute_types_reset_cb,
|
2012-03-30 09:08:55 +00:00
|
|
|
custom_attribute_types_uat_fields);
|
|
|
|
|
|
|
|
|
|
prefs_register_uat_preference(ldap_module, "custom_ldap_attribute_types",
|
|
|
|
|
"Custom AttributeValue types",
|
|
|
|
|
"A table to define custom LDAP attribute type values for which fields can be setup and used for filtering/data extraction etc.",
|
|
|
|
|
attributes_uat);
|
2006-04-30 07:23:42 +00:00
|
|
|
|
2006-11-06 11:41:02 +00:00
|
|
|
prefs_register_obsolete_preference(ldap_module, "max_pdu");
|
|
|
|
|
|
2005-12-09 16:46:24 +00:00
|
|
|
proto_cldap = proto_register_protocol(
|
2015-11-27 22:06:01 +00:00
|
|
|
"Connectionless Lightweight Directory Access Protocol",
|
|
|
|
|
"CLDAP", "cldap");
|
2005-12-09 16:46:24 +00:00
|
|
|
|
|
|
|
|
ldap_tap=register_tap("ldap");
|
|
|
|
|
|
2016-08-30 22:51:54 +00:00
|
|
|
ldap_name_dissector_table = register_dissector_table("ldap.name", "LDAP Attribute Type Dissectors", proto_cldap, FT_STRING, BASE_NONE);
|
2006-05-08 17:52:42 +00:00
|
|
|
|
Further refactor SRT stats.
Create "common" SRT tap data collection intended for all GUIs. Refactor/merge functionality of existing dissectors that have SRT support (AFP, DCERPC, Diameter, FC, GTP, LDAP, NCP, RPC, SCIS, SMB, and SMB2) for both TShark and GTK.
SMB and DCERPC "tap packet filtering" were different between TShark and GTK, so I went with GTK filter logic.
CAMEL "tap packet filtering" was different between TShark and GTK, so GTK filtering logic was pushed to the dissector and the TShark tap was left alone.
Change-Id: I7d6eaad0673fe628ef337f9165d7ed94f4a5e1cc
Reviewed-on: https://code.wireshark.org/review/8894
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-06-16 21:07:04 +00:00
|
|
|
register_srt_table(proto_ldap, NULL, 1, ldapstat_packet, ldapstat_init, NULL);
|
2005-12-09 16:46:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*--- proto_reg_handoff_ldap ---------------------------------------*/
|
|
|
|
|
void
|
|
|
|
|
proto_reg_handoff_ldap(void)
|
|
|
|
|
{
|
2015-11-27 22:06:01 +00:00
|
|
|
dissector_handle_t cldap_handle;
|
2006-04-30 07:23:42 +00:00
|
|
|
|
2015-12-09 02:06:20 +00:00
|
|
|
cldap_handle = create_dissector_handle(dissect_mscldap, proto_cldap);
|
2016-10-05 20:33:54 +00:00
|
|
|
dissector_add_uint_with_preference("udp.port", UDP_PORT_CLDAP, cldap_handle);
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2016-03-16 13:02:52 +00:00
|
|
|
gssapi_handle = find_dissector_add_dependency("gssapi", proto_ldap);
|
|
|
|
|
gssapi_wrap_handle = find_dissector_add_dependency("gssapi_verf", proto_ldap);
|
|
|
|
|
spnego_handle = find_dissector_add_dependency("spnego", proto_ldap);
|
2005-12-09 16:46:24 +00:00
|
|
|
|
2016-03-16 13:02:52 +00:00
|
|
|
ntlmssp_handle = find_dissector_add_dependency("ntlmssp", proto_ldap);
|
2006-10-11 08:18:14 +00:00
|
|
|
|
2018-09-13 15:40:27 +00:00
|
|
|
tls_handle = find_dissector_add_dependency("tls", proto_ldap);
|
2008-01-13 14:12:47 +00:00
|
|
|
|
2015-11-27 22:06:01 +00:00
|
|
|
prefs_register_ldap();
|
2008-11-12 23:55:52 +00:00
|
|
|
|
2017-03-10 11:49:54 +00:00
|
|
|
oid_add_from_string("ISO assigned OIDs, USA", "1.2.840");
|
|
|
|
|
|
2006-02-21 18:56:25 +00:00
|
|
|
/* http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dsml/dsml/ldap_controls_and_session_support.asp */
|
2015-11-27 22:06:01 +00:00
|
|
|
oid_add_from_string("LDAP_PAGED_RESULT_OID_STRING","1.2.840.113556.1.4.319");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_SHOW_DELETED_OID","1.2.840.113556.1.4.417");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_SORT_OID","1.2.840.113556.1.4.473");
|
|
|
|
|
oid_add_from_string("LDAP_CONTROL_SORT_RESP_OID","1.2.840.113556.1.4.474");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID","1.2.840.113556.1.4.521");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_NOTIFICATION_OID","1.2.840.113556.1.4.528");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_EXTENDED_DN_OID","1.2.840.113556.1.4.529");
|
|
|
|
|
oid_add_from_string("meetingAdvertiseScope","1.2.840.113556.1.4.582");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_LAZY_COMMIT_OID","1.2.840.113556.1.4.619");
|
|
|
|
|
oid_add_from_string("mhsORAddress","1.2.840.113556.1.4.650");
|
|
|
|
|
oid_add_from_string("managedObjects","1.2.840.113556.1.4.654");
|
|
|
|
|
oid_add_from_string("LDAP_CAP_ACTIVE_DIRECTORY_OID","1.2.840.113556.1.4.800");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_SD_FLAGS_OID","1.2.840.113556.1.4.801");
|
|
|
|
|
oid_add_from_string("LDAP_OID_COMPARATOR_OR","1.2.840.113556.1.4.804");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_TREE_DELETE_OID","1.2.840.113556.1.4.805");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_DIRSYNC_OID","1.2.840.113556.1.4.841");
|
|
|
|
|
oid_add_from_string("None","1.2.840.113556.1.4.970");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_VERIFY_NAME_OID","1.2.840.113556.1.4.1338");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_DOMAIN_SCOPE_OID","1.2.840.113556.1.4.1339");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_SEARCH_OPTIONS_OID","1.2.840.113556.1.4.1340");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_PERMISSIVE_MODIFY_OID","1.2.840.113556.1.4.1413");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_ASQ_OID","1.2.840.113556.1.4.1504");
|
|
|
|
|
oid_add_from_string("LDAP_CAP_ACTIVE_DIRECTORY_V51_OID","1.2.840.113556.1.4.1670");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_FAST_BIND_OID","1.2.840.113556.1.4.1781");
|
|
|
|
|
oid_add_from_string("LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID","1.2.840.113556.1.4.1791");
|
|
|
|
|
oid_add_from_string("msDS-ObjectReference","1.2.840.113556.1.4.1840");
|
|
|
|
|
oid_add_from_string("msDS-QuotaEffective","1.2.840.113556.1.4.1848");
|
|
|
|
|
oid_add_from_string("LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID","1.2.840.113556.1.4.1851");
|
|
|
|
|
oid_add_from_string("msDS-PortSSL","1.2.840.113556.1.4.1860");
|
|
|
|
|
oid_add_from_string("msDS-isRODC","1.2.840.113556.1.4.1960");
|
|
|
|
|
oid_add_from_string("msDS-SDReferenceDomain","1.2.840.113556.1.4.1711");
|
|
|
|
|
oid_add_from_string("msDS-AdditionalDnsHostName","1.2.840.113556.1.4.1717");
|
|
|
|
|
oid_add_from_string("None","1.3.6.1.4.1.1466.101.119.1");
|
|
|
|
|
oid_add_from_string("LDAP_START_TLS_OID","1.3.6.1.4.1.1466.20037");
|
|
|
|
|
|
2017-03-10 11:49:54 +00:00
|
|
|
oid_add_from_string("inetOrgPerson", "2.16.840.1.113730.3.2.2");
|
2015-12-16 11:18:01 +00:00
|
|
|
/* RFC2798 */
|
2017-03-10 11:49:54 +00:00
|
|
|
oid_add_from_string("US company arc", "2.16.840.1");
|
|
|
|
|
|
|
|
|
|
/* http://www.alvestrand.no/objectid/2.16.840.1.113730.3.4.html */
|
|
|
|
|
oid_add_from_string("Manage DSA IT LDAPv3 control", "2.16.840.1.113730.3.4.2");
|
|
|
|
|
oid_add_from_string("Persistent Search LDAPv3 control", "2.16.840.1.113730.3.4.3");
|
|
|
|
|
oid_add_from_string("Netscape Password Expired LDAPv3 control", "2.16.840.1.113730.3.4.4");
|
|
|
|
|
oid_add_from_string("Netscape Password Expiring LDAPv3 control", "2.16.840.1.113730.3.4.5");
|
|
|
|
|
oid_add_from_string("Netscape NT Synchronization Client LDAPv3 control", "2.16.840.1.113730.3.4.6");
|
|
|
|
|
oid_add_from_string("Entry Change Notification LDAPv3 control", "2.16.840.1.113730.3.4.7");
|
|
|
|
|
oid_add_from_string("Transaction ID Request Control", "2.16.840.1.113730.3.4.8");
|
|
|
|
|
oid_add_from_string("VLV Request LDAPv3 control", "2.16.840.1.113730.3.4.9");
|
|
|
|
|
oid_add_from_string("VLV Response LDAPv3 control", "2.16.840.1.113730.3.4.10");
|
|
|
|
|
oid_add_from_string("Transaction ID Response Control", "2.16.840.1.113730.3.4.11");
|
|
|
|
|
oid_add_from_string("Proxied Authorization (version 1) control", "2.16.840.1.113730.3.4.12");
|
|
|
|
|
oid_add_from_string("iPlanet Directory Server Replication Update Information Control", "2.16.840.1.113730.3.4.13");
|
|
|
|
|
oid_add_from_string("iPlanet Directory Server search on specific backend control", "2.16.840.1.113730.3.4.14");
|
|
|
|
|
oid_add_from_string("Authentication Response Control", "2.16.840.1.113730.3.4.15");
|
|
|
|
|
oid_add_from_string("Authentication Request Control", "2.16.840.1.113730.3.4.16");
|
|
|
|
|
oid_add_from_string("Real Attributes Only Request Control", "2.16.840.1.113730.3.4.17");
|
|
|
|
|
oid_add_from_string("Proxied Authorization (version 2) Control", "2.16.840.1.113730.3.4.18");
|
|
|
|
|
oid_add_from_string("Chaining loop detection", "2.16.840.1.113730.3.4.19");
|
|
|
|
|
oid_add_from_string("iPlanet Replication Modrdn Extra Mods Control", "2.16.840.1.113730.3.4.999");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_QUOTA_CONTROL_OID", "1.2.840.113556.1.4.1852");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_RANGE_OPTION_OID", "1.2.840.113556.1.4.802");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_SHUTDOWN_NOTIFY_OID", "1.2.840.113556.1.4.1907");
|
|
|
|
|
oid_add_from_string("LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID", "1.2.840.113556.1.4.1948");
|
|
|
|
|
|
2015-12-16 11:18:01 +00:00
|
|
|
|
2015-12-09 02:06:20 +00:00
|
|
|
dissector_add_string("ldap.name", "netlogon", create_dissector_handle(dissect_NetLogon_PDU, proto_cldap));
|
|
|
|
|
dissector_add_string("ldap.name", "objectGUID", create_dissector_handle(dissect_ldap_guid, proto_ldap));
|
|
|
|
|
dissector_add_string("ldap.name", "supportedControl", create_dissector_handle(dissect_ldap_oid, proto_ldap));
|
|
|
|
|
dissector_add_string("ldap.name", "supportedCapabilities", create_dissector_handle(dissect_ldap_oid, proto_ldap));
|
|
|
|
|
dissector_add_string("ldap.name", "objectSid", create_dissector_handle(dissect_ldap_sid, proto_ldap));
|
|
|
|
|
dissector_add_string("ldap.name", "nTSecurityDescriptor", create_dissector_handle(dissect_ldap_nt_sec_desc, proto_ldap));
|
2006-11-04 09:14:54 +00:00
|
|
|
|
|
|
|
|
#include "packet-ldap-dis-tab.c"
|
2009-10-09 21:41:06 +00:00
|
|
|
|
2016-10-07 20:25:01 +00:00
|
|
|
dissector_add_uint_range_with_preference("tcp.port", TCP_PORT_RANGE_LDAP, ldap_handle);
|
2005-12-09 16:46:24 +00:00
|
|
|
}
|
|
|
|
|
|
2010-12-06 22:08:48 +00:00
|
|
|
static void
|
|
|
|
|
prefs_register_ldap(void)
|
|
|
|
|
{
|
2008-01-26 10:12:22 +00:00
|
|
|
if(ssl_port != global_ldaps_tcp_port) {
|
|
|
|
|
if(ssl_port)
|
2015-11-06 04:20:45 +00:00
|
|
|
ssl_dissector_delete(ssl_port, ldap_handle);
|
2008-01-26 10:12:22 +00:00
|
|
|
|
|
|
|
|
/* Set our port number for future use */
|
|
|
|
|
ssl_port = global_ldaps_tcp_port;
|
|
|
|
|
|
2009-10-09 21:41:06 +00:00
|
|
|
if(ssl_port)
|
2015-11-06 04:20:45 +00:00
|
|
|
ssl_dissector_add(ssl_port, ldap_handle);
|
2008-01-26 10:12:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
2015-11-27 22:06:01 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Editor modelines - http://www.wireshark.org/tools/modelines.html
|
|
|
|
|
*
|
|
|
|
|
* Local Variables:
|
|
|
|
|
* c-basic-offset: 2
|
|
|
|
|
* tab-width: 8
|
|
|
|
|
* indent-tabs-mode: nil
|
|
|
|
|
* End:
|
|
|
|
|
*
|
|
|
|
|
* vi: set shiftwidth=2 tabstop=8 expandtab:
|
|
|
|
|
* :indentSize=2:tabSize=8:noTabs=true:
|
|
|
|
|
*/
|