From Dirk Jagdmann via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6450 :
Several updates to the DCE/RPC dissector: - changed the variable name "ndr64_uuid" to "uuid_ndr64" to make it similar the the other UUID variable names. Minor changes to the UUID names. - changes the UUID name for the 32bit NDR to describe that. In the DCE/RPC standard this UUID is described as "Version 1.1 network data representation protocol", but this is an unnecessarily long name and it's the only 32bit version defined for DCE/RPC anyway. The new name "32bit NDR" is similar to the changed name for the 64bit NDR. - added an UUID for "bind time feature negotiation" found with Microsoft PDUs. - added an UUID for "asynchonous MAPI". Of course this UUID/name should be added to the MAPI dissector, but the MAPI dissector is generated C code from Samba/OpenChange pidl sources. Eventually those might get updated. An alternative would be to create a new file to specifically register UUIDs used in the DCE/RPC context. - when the g_hash_table_insert() function is used, I've removed the code to lookup and remove the key, as g_hash_table_insert() is doing that internally (or more precise, it is overwriting the old value). - in the dissector function for Bind and BindAck, I now print all context items into COL_INFO and not just the first one. - added a new value for Bind results, used by Microsoft products. (The "Negotiate ACK" is used with the "bind time feature negotiation" UUID) svn path=/trunk/; revision=39455
This commit is contained in:
parent
bd128abe64
commit
56981d384d
|
@ -52,12 +52,14 @@
|
|||
|
||||
static int dcerpc_tap = -1;
|
||||
|
||||
/* standard transport syntax */
|
||||
/* 32bit Network Data Representation, see DCE/RPC Appendix I */
|
||||
static e_uuid_t uuid_data_repr_proto = { 0x8a885d04, 0x1ceb, 0x11c9, { 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 } };
|
||||
/* ndr64 transport syntax, introduced in w2k8 */
|
||||
static e_uuid_t ndr64_uuid = { 0x71710533, 0xbeba, 0x4937, { 0x83, 0x19, 0xb5, 0xdb, 0xef, 0x9c, 0xcc, 0x36 } };
|
||||
|
||||
|
||||
/* 64bit Network Data Representation, introduced in Windows Server 2008 */
|
||||
static e_uuid_t uuid_ndr64 = { 0x71710533, 0xbeba, 0x4937, { 0x83, 0x19, 0xb5, 0xdb, 0xef, 0x9c, 0xcc, 0x36 } };
|
||||
/* Bind Time Feature Negotiation, see [MS-RPCE] 3.3.1.5.3 */
|
||||
static e_uuid_t uuid_bind_time_feature_nego = { 0x6cb71c2c, 0x9812, 0x4540, { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } };
|
||||
/* see [MS-OXRPC] Appendix A: Full IDL, http://msdn.microsoft.com/en-us/library/ee217991%28v=exchg.80%29.aspx */
|
||||
static e_uuid_t uuid_asyncemsmdb = { 0x5261574a, 0x4572, 0x206e, { 0xb2, 0x68, 0x6b, 0x19, 0x92, 0x13, 0xb4, 0xe4 } };
|
||||
|
||||
static const value_string pckt_vals[] = {
|
||||
{ PDU_REQ, "Request"},
|
||||
|
@ -207,6 +209,7 @@ static const value_string p_cont_result_vals[] = {
|
|||
{ 0, "Acceptance" },
|
||||
{ 1, "User rejection" },
|
||||
{ 2, "Provider rejection" },
|
||||
{ 3, "Negotiate ACK" }, /* [MS-RPCE] 2.2.2.4 */
|
||||
{ 0, NULL }
|
||||
};
|
||||
|
||||
|
@ -2778,10 +2781,9 @@ static void
|
|||
dissect_dcerpc_cn_bind (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
||||
proto_tree *dcerpc_tree, e_dce_cn_common_hdr_t *hdr)
|
||||
{
|
||||
conversation_t *conv = NULL;
|
||||
conversation_t *conv = find_or_create_conversation(pinfo);
|
||||
guint8 num_ctx_items = 0;
|
||||
guint i;
|
||||
gboolean saw_ctx_item = FALSE;
|
||||
guint16 ctx_id;
|
||||
guint8 num_trans_items;
|
||||
guint j;
|
||||
|
@ -2809,6 +2811,8 @@ dissect_dcerpc_cn_bind (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|||
/* padding */
|
||||
offset += 3;
|
||||
|
||||
col_append_fstr(pinfo->cinfo, COL_INFO, ", %u context items:", num_ctx_items);
|
||||
|
||||
for (i = 0; i < num_ctx_items; i++) {
|
||||
proto_item *ctx_item = NULL;
|
||||
proto_tree *ctx_tree = NULL, *iface_tree = NULL;
|
||||
|
@ -2878,7 +2882,6 @@ dissect_dcerpc_cn_bind (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|||
proto_item_set_len(iface_item, 20);
|
||||
}
|
||||
|
||||
|
||||
memset(&trans_id, 0, sizeof(trans_id));
|
||||
for (j = 0; j < num_trans_items; j++) {
|
||||
proto_tree *trans_tree = NULL;
|
||||
|
@ -2913,10 +2916,6 @@ dissect_dcerpc_cn_bind (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|||
}
|
||||
}
|
||||
|
||||
if (!saw_ctx_item) {
|
||||
conv = find_or_create_conversation(pinfo);
|
||||
}
|
||||
|
||||
/* if this is the first time we see this packet, we need to
|
||||
update the dcerpc_binds table so that any later calls can
|
||||
match to the interface.
|
||||
|
@ -2936,22 +2935,15 @@ dissect_dcerpc_cn_bind (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|||
value->ver = if_ver;
|
||||
value->transport=trans_id;
|
||||
|
||||
/* add this entry to the bind table, first removing any
|
||||
previous ones that are identical
|
||||
*/
|
||||
if(g_hash_table_lookup(dcerpc_binds, key)){
|
||||
g_hash_table_remove(dcerpc_binds, key);
|
||||
}
|
||||
/* add this entry to the bind table */
|
||||
g_hash_table_insert (dcerpc_binds, key, value);
|
||||
}
|
||||
if (!saw_ctx_item) {
|
||||
if (num_ctx_items > 1)
|
||||
col_append_fstr(pinfo->cinfo, COL_INFO, ", %u context items, 1st", num_ctx_items);
|
||||
|
||||
col_append_fstr(pinfo->cinfo, COL_INFO, " %s V%u.%u",
|
||||
guids_resolve_uuid_to_str(&if_id), if_ver, if_ver_minor);
|
||||
saw_ctx_item = TRUE;
|
||||
}
|
||||
if (i > 0)
|
||||
col_append_fstr(pinfo->cinfo, COL_INFO, ",");
|
||||
col_append_fstr(pinfo->cinfo, COL_INFO, " %s V%u.%u (%s)",
|
||||
guids_resolve_uuid_to_str(&if_id), if_ver, if_ver_minor,
|
||||
guids_resolve_uuid_to_str(&trans_id));
|
||||
|
||||
if(ctx_tree) {
|
||||
proto_item_set_len(ctx_item, offset - ctx_offset);
|
||||
|
@ -3009,6 +3001,9 @@ dissect_dcerpc_cn_bind_ack (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|||
/* padding */
|
||||
offset += 3;
|
||||
|
||||
col_append_fstr(pinfo->cinfo, COL_INFO, ", max_xmit: %u max_recv: %u, %u results:",
|
||||
max_xmit, max_recv, num_results);
|
||||
|
||||
for (i = 0; i < num_results; i++) {
|
||||
proto_tree *ctx_tree = NULL;
|
||||
|
||||
|
@ -3045,6 +3040,11 @@ dissect_dcerpc_cn_bind_ack (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|||
|
||||
offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, ctx_tree, hdr->drep,
|
||||
hf_dcerpc_cn_ack_trans_ver, &trans_ver);
|
||||
|
||||
if (i > 0)
|
||||
col_append_fstr(pinfo->cinfo, COL_INFO, ",");
|
||||
col_append_fstr(pinfo->cinfo, COL_INFO, " %s",
|
||||
val_to_str(result, p_cont_result_vals, "Unknown result (%u)"));
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -3052,22 +3052,6 @@ dissect_dcerpc_cn_bind_ack (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|||
* we get back from this?
|
||||
*/
|
||||
dissect_dcerpc_cn_auth (tvb, offset, pinfo, dcerpc_tree, hdr, TRUE, &auth_info);
|
||||
|
||||
if (num_results != 0) {
|
||||
if (result == 0) {
|
||||
/* XXX - only checks the last result */
|
||||
col_append_fstr (pinfo->cinfo, COL_INFO,
|
||||
" accept max_xmit: %u max_recv: %u",
|
||||
max_xmit, max_recv);
|
||||
} else {
|
||||
/* XXX - only shows the last result and reason */
|
||||
col_append_fstr (pinfo->cinfo, COL_INFO, " %s, reason: %s",
|
||||
val_to_str(result, p_cont_result_vals,
|
||||
"Unknown result (%u)"),
|
||||
val_to_str(reason, p_provider_reason_vals,
|
||||
"Unknown (%u)"));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -3407,18 +3391,12 @@ dcerpc_add_conv_to_bind_table(decode_dcerpc_bind_values_t *binding)
|
|||
*/
|
||||
bind_value->transport=uuid_data_repr_proto;
|
||||
|
||||
|
||||
key = se_alloc(sizeof (dcerpc_bind_key));
|
||||
key->conv = conv;
|
||||
key->ctx_id = binding->ctx_id;
|
||||
key->smb_fid = binding->smb_fid;
|
||||
|
||||
/* add this entry to the bind table, first removing any
|
||||
previous ones that are identical
|
||||
*/
|
||||
if(g_hash_table_lookup(dcerpc_binds, key)){
|
||||
g_hash_table_remove(dcerpc_binds, key);
|
||||
}
|
||||
/* add this entry to the bind table */
|
||||
g_hash_table_insert(dcerpc_binds, key, bind_value);
|
||||
|
||||
return bind_value;
|
||||
|
@ -3545,7 +3523,7 @@ dissect_dcerpc_cn_rqst (tvbuff_t *tvb, gint offset, packet_info *pinfo,
|
|||
call_value->private_data = NULL;
|
||||
call_value->pol = NULL;
|
||||
call_value->flags = 0;
|
||||
if (!memcmp(&bind_value->transport, &ndr64_uuid, sizeof(ndr64_uuid))) {
|
||||
if (!memcmp(&bind_value->transport, &uuid_ndr64, sizeof(uuid_ndr64))) {
|
||||
call_value->flags |= DCERPC_IS_NDR64;
|
||||
}
|
||||
|
||||
|
@ -5918,7 +5896,8 @@ proto_reg_handoff_dcerpc (void)
|
|||
heur_dissector_add ("http", dissect_dcerpc_cn_bs, proto_dcerpc);
|
||||
dcerpc_smb_init(proto_dcerpc);
|
||||
|
||||
|
||||
guids_add_uuid(&uuid_data_repr_proto, "Version 1.1 network data representation protocol");
|
||||
guids_add_uuid(&ndr64_uuid, "NDR64");
|
||||
guids_add_uuid(&uuid_data_repr_proto, "32bit NDR");
|
||||
guids_add_uuid(&uuid_ndr64, "64bit NDR");
|
||||
guids_add_uuid(&uuid_bind_time_feature_nego, "bind time feature negotiation");
|
||||
guids_add_uuid(&uuid_asyncemsmdb, "async MAPI");
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue