connectionless DCE RPC PDUs into common routines, and call those
routines when dissecting DCE RPC requests and responses.
Get rid of arguments to "dcerpc_try_handoff()" whose values are also in
the "dcerpc_info" structure pointed to by its "info" argument.
svn path=/trunk/; revision=5757
Show presentation context negotiation results and rejection reasons, PDU
rejection reasons, and rejection status codes symbolically. Show the
presentation context negotiation rejection reason only if there was a
rejection, and, if so, show it in the Info column as well as the
protocol tree.
Show more fields in the Info column.
Show the packet type in decimal in the protocol tree - it's shown as
decimal in the Info column and the values are shown as decimal in the
DCE RPC 1.1 spec.
Show the sequence number for connectionless PDUs as decimal in the
protcool tree - it's snown as decimal in the Info column, and the call
ID for connection-oriented PDUs is shown as decimal in the protocol
tree.
svn path=/trunk/; revision=5701
tables for connectionless PDUs than for connection-oriented PDUs; just
have one connectionless PDU reassembly hash table.
Get rid of unnecessary tests of "dcerpc_reassemble" - the code to handle
requests and responses was
if (!dcerpc_reassemble || packet not fragmented || frame is short)
don't reassemble;
else if (dcerpc_reassemble)
reassemble
but if we go into the "else" clause we know that all three conditions in
the "if" are false, including "!dcerpc_reassemble", so we know
"dcerpc_reassemble" is true.
Set "pinfo->fragmented" based on whether the PDU being dissected is an
unreassembled first fragment or not.
Put a "Fragment data" item into the protocol tree for all fragments.
Properly maintain the offset when dissecting the header of a
connectionless PDU, even if we aren't building a protocol tree.
"fd_head->datalen" is bogus for sequence-number-based reassembly; use
"fd_head->len" instead.
svn path=/trunk/; revision=5695
Don't try to add a fragment to a reassembly operation if we don't have
all of the stub data (because the frame is short, or because it's part
of a packet fragmented at a layer below RPC and not reassembled).
Put an entry into the protocol tree for the fragment data of the last
fragment.
svn path=/trunk/; revision=5688
whether a connection-oriented PDU is fragmented or not.
Clean up the handling of fragmented connection-oriented PDUs (the code
to handle fragmented PDUs can assume that it is not the case that both
PFC_FIRST_FRAG and PFC_LAST_FRAG are set, as that's an unfragmented
PDU). Put an entry into the protocol tree for the fragment data in
fragmented PDUs.
For fragmented connectionless PDUs, don't hand the payload of any
fragment other than the first fragment to the subdissector.
svn path=/trunk/; revision=5687
but for stuff reassembled with "fragment_add_seq()" or
"fragment_add_seq_check()".
Add a "fragment tag" string to the "fragment_items", so that packets
with fragmentation errors can be properly flagged as having "Illegal
fragments" or "Illegal segments" depending on the term used with the
protocol in question.
Make all the dissectors that can use "show_fragment_tree()" or
"show_fragment_seq_tree()", and don't already use them, do so.
svn path=/trunk/; revision=5644
task of creating a fregment tree for the fragmented packets.
Having this identical code to create this tree in every dissector that does
PDU reassembly is a huge waste and duplication of code.
Updated IP, SMB and DCERPC to use the new function.
svn path=/trunk/; revision=5626
in the "packet_info" structure instead, as we don't need a pointer for
every single frame in the capture file, just for each frame for which we
currently have an open "epan_dissect_t".
svn path=/trunk/; revision=5614
The function request/call are dissected but the main body of the function
in/out parameters consists of a unidimensional conformant and varying array of bytes which content is encrypted/obfuscated.
Whoever can tell me how to decrypt/unobfuscate these bytes will get
a case of VB next time in Sydney.
svn path=/trunk/; revision=5532
When the representation for a pointer type gets dissected, the dissector
is actually called twice. Once with conformant_run==1 and once ==0.
The idea is that when conformant_run is ==1, the ONLY bytes that will be
dissected and would be the array structure preceeding the actual data.
And the normal data and content will be dissected when conformant_run ==0.
This is to handle the case properly when conformant arrays are embedded inside
aggregated types, in which case there will be other data inserted between
these array control data, and the array content.
The check that is added will assert that no other data is actually eaten
for conformant_run==1 than just this data.
This will help debugging dcerpc dissectors.
svn path=/trunk/; revision=5412
frame number arguments, and elements in data structures, unsigned,
display them with "%u" rather than "%d", and use 0, rather than -1, as
"not known".
svn path=/trunk/; revision=5223
the sub-protocol containing the actual operation number (which isn't
necessarily the operation number in a connectionless reply's PDU;
sometimes the operation number in a connectionless reply appears to be
garbage, and it's not what we use to dissect the reply in any case), and
also giving the name of the operation, if we know it.
Show the authentication data in connectionless PDUs, if present, as an
item in the protocol tree.
svn path=/trunk/; revision=5002
connectionless calls to the fragment length.
Add value_string tables for authentication protocol and level values.
Show the authentication protocol in decimal in connectionless PDUs, just
as we do in connection-oriented PDUs.
Get the authentication level from connection-oriented request and reply
PDUs and, if it's DCE_C_AUTHN_LEVEL_PKT_PRIVACY, don't hand the stub
data to subdissectors, just show it as encrypted stub data.
svn path=/trunk/; revision=4998
SAMR updates;
a bugfix in dissect_ndr_pointer() (should not check referent id
for aliases for unique pointers);
enhancement to dissect_ndr_pointer() to make it possible to
hand a generic int value to the dissector for the pointer object
in a similar way as hf_index values are passed through the
pointer layer.
svn path=/trunk/; revision=4721
fix to LookupRids to match what the IDL file says;
fix to "dissect_ndr_uint64()" to specify the right length to
"proto_tree_add_item()";
give the protocol tree items for array header counts and offsets
the correct offsets in the packet.
svn path=/trunk/; revision=4719
dissect dcerpc UDP replies correctly - use the opnum from the
request, ont the reply (the opnum from the request is frequently
wrong in Microsoft's DCE RPC implementation);
don't crash if the packet isn't found in the hash tables;
dissect SamrLookupDomain requests properly.
svn path=/trunk/; revision=4718
the count fields in SAMR replies aren't array max_count values,
so don't display them as such;
Put conformant and conformant varying array length/offset/etc.
values into the protocol tree.
svn path=/trunk/; revision=4701
arguments to "proto_tree_add_text()", and to "proto_tree_add_XXX()" calls
that add FT_NONE or FT_PROTO items to the protocol tree, with -1.
Replace some calls to "tvb_length()" or "tvb_length_remaining()" with
calls to "tvb_reported_length()" and "tvb_reported_length_remaining()",
as those give the actual length of the data in the packet, not just the
data that happened to be captured.
svn path=/trunk/; revision=4605
"epan/..." pathnames, so as to avoid collisions with header files in any
of the directories in which we look (e.g., "proto.h", as some other
package has its own "proto.h" file which it installs in the top-level
include directory).
Don't add "-I" flags to search "epan", as that's no longer necessary
(and we want includes of "epan" headers to fail if the "epan/" is left
out, so that we don't re-introduce includes lacking "epan/").
svn path=/trunk/; revision=4586
DOS error codes to the table of them, and exporting that table to other
dissectors for protocols using DOS error codes.
svn path=/trunk/; revision=4470
don't call the subdissector (or even create a subtree for the protocol)
if it's not enabled.
Save the current protocol string, and set it to the string for the
subdissector's protocol, before calling the subdissector, and restore it
after the subdissector returns.
svn path=/trunk/; revision=4418
structure to the "packet_info" structure; only stuff that's permanently
stored with each frame should be in the "frame_data" structure, and the
"column_info" structure is not guaranteed to hold the column values for
that frame at all times - it was only in the "frame_data" structure so
that it could be passed to dissectors, and, as all dissectors are now
passed a pointer to a "packet_info" structure, it could just as well be
put in the "packet_info" structure.
That saves memory, by shrinking the "frame_data" structure (there's one
of those per frame), and also lets us clean up the code a bit.
svn path=/trunk/; revision=4370
indicate that it's to be used for SMB transactions; a different table,
using different dissectors, would be needed for, say, reads and writes
over a named pipe, as those are byte streams and SMB transactions are
packets, so the dissectors for the first one need to worry about
multiple PDUs per segment and desegmentation, while the dissectors for
the second one don't - and, in fact, can't do desegmentation stuff.
svn path=/trunk/; revision=4286
o Modifies the dcerpc handoff to subdissectors slightly. It
also needs to pass the data representation to the
subdissector. Also, if no subdissector is found, it puts a
"Stub data" entry in the tree.
o Adds optional TCP desegmentation to the dcerpc layer. Note
that dcerpc has it's own ability to fragment PDUs. This isn't
for dealing with that, but with the case of a single PDU being
broken over more than one TCP segment.
o Adds a little bit of dissection to packet-dcerpc-epm.c.
Mainly just proof of concept for the dcerpc handoff stuff.
(Writing this is how I realized the need for the drep.)
o Adds packet-dcerpc-ndr.c, which will contain NDR dissection
routines for use by subdissectors.
Also, support added for multiple PDUs per segment for DCERPC-over-TCP
(and, potentially, other byte-stream transports).
svn path=/trunk/; revision=4285
Guy Harris