dont try dcerpc reassembly of fragments if we dont have the entire pdu
only call the heuristical dissectors once from smb/pipe as per guy(?)s comments about idempotence.
when doing reassembly, the dcerpc dissector is indeed not idempotent any more.
svn path=/trunk/; revision=19304
the biggest problem in changing this is the dcv->private_data usage.
add a dcv->se_data which can keep data around from a request to a response and use this to change the LSA/OpenPolicy2 servername passing from request to response as a test pattern of moving all users of dcv->private data over to use dcv->se_data.
once all users are migrated over we can then change the dcv->private data pointer to be of ep scope and thus not need an explicit free (which is quite difficult and it is quite difficult in the old semantics to know WHEN we need to free this pointer)
this will eventually make the usage more clean and at the same time close down quite a few memory leaks.
eventually this will make dissect_ndr_nt_SID return a pointer to ep allocated memory that need not be explicitely freed.
svn path=/trunk/; revision=19226
most of the relevant code moved to guid_utils
lot of corresponding code cleanup in packet-dcerpc.c
still using GHashTable
still not using a manuf like file
svn path=/trunk/; revision=18939
I think I've changed all corresponding appearances from FT_STRING to FT_GUID, so assert the FT_ type as it should only be a FT_GUID now.
Add a generic implementation in guid_utils.h to have a way to store data about GUID to name resolving (something like value_string for e.g. int). It might be better to have a single registry for all GUID's of all dissectors and implement the GUID name resolving into the proto_tree_add... functions.
svn path=/trunk/; revision=18935
add a generated field telling the user and add an expert info entry
This often happens when the capture misses the binding procedure at the beginning of a conversation "capture start too late".
svn path=/trunk/; revision=18687
This should fix some "differ in signedness" warnings (and maybe will raise new ones, which should be fixed at the calling places then)
svn path=/trunk/; revision=18605
use UTF-16 internally and GTK+ 2.x uses UTF-8, which means we have to
do a lots of conversions.
Add utf_8to16() and utf_16to8 convenience functions to strutil.c.
svn path=/trunk/; revision=17534
a capture file. This should fix bug #536.
Make sure we initialize our hash tables in packet-dcerpc-nt.c and several
other files. Fix up whitespace while we're at it.
svn path=/trunk/; revision=16255
I've changed all settings I could find to TRUE. It might be reasonable to change some protocol settings back to FALSE, if reassembling fails very often.
svn path=/trunk/; revision=16048
"dissect_dcerpc_cn_bs_body()", it's because it recognized the packet as
a DCE RPC packet, but it ran out of data dissecting it as such;
increment the count of DCE RPC PDUs, so "dissect_dcerpc_cn_bs_body()"
returns TRUE, and its caller doesn't think nothing was dissected.
Fuzzed with some DCE RPC captures.
svn path=/trunk/; revision=16000
in addition, I had to implement fragment_get_reassembled() in addition to fragment_get(), which works with reassembled_table
svn path=/trunk/; revision=15762
as connection oriented (cn) and connectionless (dg) DCE/RPC uses different ways to handle defragmentation and this function is only used for dg
svn path=/trunk/; revision=15757
Please see: http://wiki.ethereal.com/Development/ExpertInfo for a complete overview of the intended feature and it's current state of implementation.
While I'm working on this, I've also added some more status result codes to the DCE/RPC and DCOM dissectors.
svn path=/trunk/; revision=15754
reassemble.c:
I had to change the way the reassemble code works if the dissector is telling that more fragments *will* follow. In this case the reassemble code shouldn't try to reassemble already at that time ...
I've also changed the way if a fragment was already seen or not, as it's not enough to check for the frame number, in the scenario described above.
Unfortunately both changes *might* broke other protocols from reassemble properly. I've checked with excessive TCP desegmentation and it's still working without any changes :-)
packet-dcerpc.c:
use a tvb subset to limit the "end of bytes" processed in a single fragment dissect run, as each fragment has it's own DCE/RPC header (and isn't part of the stub data of the previous packet).
svn path=/trunk/; revision=15744
I've done more than a day to change the timestamp resolution from microseconds to nanoseconds. As I really don't want to loose those changes, I'm going to check in the changes I've done so far. Hopefully someone else will give me a helping hand with the things left ...
What's done: I've changed the timestamp resolution from usec to nsec in almost any place in the sources. I've changed parts of the implementation in nstime.s/.h and a lot of places elsewhere.
As I don't understand the editcap source (well, I'm maybe just too tired right now), hopefully someone else might be able to fix this soon.
Doing all those changes, we get native nanosecond timestamp resolution in Ethereal. After fixing all the remaining issues, I'll take a look how to display this in a convenient way...
As I've also changed the wiretap timestamp resolution from usec to nsec we might want to change the wiretap version number...
svn path=/trunk/; revision=15520
there are only 5 gmemchunks left but they have different litetime for their allocations than the 100+ ones that have been removed.
The remaining 5 should be converted some other way.
svn path=/trunk/; revision=15328
-use g_snprintf instead of sprintf and snprintf
-use g_strdup_printf where appropriate
-remove #include "snprintf.h" (as only g_snprintf should be used)
-replace some more alloc/realloc/calloc/free with their glib pendants
svn path=/trunk/; revision=15264
Unfortunately, this is *very* safe now as it will mark a lot of DCE/RPC packets as malformed, thus the reassembling code won't work with most packets :-(
I've replaced this with the correct check and used THROW(ReportedBoundsError) instead which is hopefully the right error in this case.
BTW: could someone please add a description of the ReportedBoundsError vs. BoundsError to the code as I still don't get it.
In addition: Use a toplevel tree item to display the DCE/RPC defragmentation just as it's done in the TCP desegmentation code.
svn path=/trunk/; revision=15188
(presumably-)harmless-but-otherwise-unremovable const-to-nonconst
warnings.
In the TACACS dissector, clean up the variables used in option parsing
to avoid some const-to-nonconst warnings.
Clean up some white space.
svn path=/trunk/; revision=15043
make dissect_dcerpc_uuid_t() accept eitehr FT_STRING (old style) and FT_GUID (new style) hf fields. once all dissectors are modified to use FT_GUID we can remove the FT_STRING support here.
regenerate the DRSUAPI interface with the new FT_GUID support.
svn path=/trunk/; revision=14912
This is extremely useful, to keep track of the corresponding request/response packets of a DCE/RPC call (which can be quite a lot packets if fragmentation is used).
svn path=/trunk/; revision=14826
in a simple approach, I've replaced all g_assert() and g_assert_not_reached() calls by their exception throwing counterparts DISSECTOR_ASSERT() and DISSECTOR_ASSERT_NOT_REACHED()
this will replace application crash by showing a dissector bug, which is the desired behaviour
there were some g_assert calls in the protocol registering functions, which might not be acting as expected now, but to be able to simply search for g_assert in the future I've replaced that calls too
one g_assert remained, the one when someone throws an unknown exception "into" packet_frame.c, but IMHO this one should remain.
svn path=/trunk/; revision=14608
set "n*DCERPC" in the proto column if more than one RPC call in a TCP PDU, overwriting the interface name, as there's probably more than one interface involved
add some more RPC info to the toplevel RPC proto_item
add a comment, if some bytes are not dissected but might be in the next TCP PDU
svn path=/trunk/; revision=14490
cerlare it as a parameter that is a struct/union and not a ref pointer to one.
this is ok since toplevel ref pointers are invisible in the wire encoding anyway.
unfortunatelky ethereal dce runtime needed to see that pointer to keep track of whisch one was a toplevel and which one wasnt.
implement a new api to call pointers which explicitely specifies whether the pointer is toplevel or embedded.
eventually all dce dissectors will use this new interface and the generic dissect_ndr_pointer() can be retired.
svn path=/trunk/; revision=13755
(cifs: dc's talking to eachother and when longhorn comes out: anyone wanting to talk dce to a dc!)
((this is an incredibly advanced feature well worthy of mentioning in NEWS))
svn path=/trunk/; revision=13690
1) Added a setup_frame parameter to conversation_t
2) Used the conversation_t next to maintain a list of conversations with the
same src/dest tuple but different setup_frame number.
3) Changed the signature of find_conversation() and conversation_new() to pass
in the frame number.
4) Adjusted packet-sdp to select RTP conversation if both m=audio and m=image
are present, and T.38 conversation if only m=image is present. I expect that
RTP/T.38 dissecting to be better, but I don't have a way to generate T.38
packets.
svn path=/trunk/; revision=13243
another part of the PROFINET dissectors (PN-CBA, including a lot of generic DCOM dissection) still some work to be done ...
svn path=/trunk/; revision=12776
NTLMSSP, the state of the RC4 stream is dependent on the stub being
decrypted before the verifier.
Correctly set the length and reported length of the tvb for the stub
(the reported length of that tvb should be set based on the *reported*
length of the parent tvbuff, not the captured length).
svn path=/trunk/; revision=11938
I (hopefully) didn't changed any protocol fields or preference file names, but only the GUI labels appearing in the protocol display and the protocol preferences.
Also added a note to the protocol preferences (where appropriate), that you have to enable "Allow subdissectors to reassemble TCP streams" at the corresponding protocol settings for TCP reassembling to take effect.
If you encounter any mistakes I've made here, please let me know...
svn path=/trunk/; revision=11784
Also move ncp222.py, x11-fields, process-x11-fields.pl,
make-reg-dotc, and make-reg-dotc.py.
Adjust #include lines in files that include packet-*.h
files.
svn path=/trunk/; revision=11410
Ronnie Sahlberg