The function request/call are dissected but the main body of the function
in/out parameters consists of a unidimensional conformant and varying array of bytes which content is encrypted/obfuscated.
Whoever can tell me how to decrypt/unobfuscate these bytes will get
a case of VB next time in Sydney.
svn path=/trunk/; revision=5532
When the representation for a pointer type gets dissected, the dissector
is actually called twice. Once with conformant_run==1 and once ==0.
The idea is that when conformant_run is ==1, the ONLY bytes that will be
dissected and would be the array structure preceeding the actual data.
And the normal data and content will be dissected when conformant_run ==0.
This is to handle the case properly when conformant arrays are embedded inside
aggregated types, in which case there will be other data inserted between
these array control data, and the array content.
The check that is added will assert that no other data is actually eaten
for conformant_run==1 than just this data.
This will help debugging dcerpc dissectors.
svn path=/trunk/; revision=5412
frame number arguments, and elements in data structures, unsigned,
display them with "%u" rather than "%d", and use 0, rather than -1, as
"not known".
svn path=/trunk/; revision=5223
the sub-protocol containing the actual operation number (which isn't
necessarily the operation number in a connectionless reply's PDU;
sometimes the operation number in a connectionless reply appears to be
garbage, and it's not what we use to dissect the reply in any case), and
also giving the name of the operation, if we know it.
Show the authentication data in connectionless PDUs, if present, as an
item in the protocol tree.
svn path=/trunk/; revision=5002
connectionless calls to the fragment length.
Add value_string tables for authentication protocol and level values.
Show the authentication protocol in decimal in connectionless PDUs, just
as we do in connection-oriented PDUs.
Get the authentication level from connection-oriented request and reply
PDUs and, if it's DCE_C_AUTHN_LEVEL_PKT_PRIVACY, don't hand the stub
data to subdissectors, just show it as encrypted stub data.
svn path=/trunk/; revision=4998
SAMR updates;
a bugfix in dissect_ndr_pointer() (should not check referent id
for aliases for unique pointers);
enhancement to dissect_ndr_pointer() to make it possible to
hand a generic int value to the dissector for the pointer object
in a similar way as hf_index values are passed through the
pointer layer.
svn path=/trunk/; revision=4721
fix to LookupRids to match what the IDL file says;
fix to "dissect_ndr_uint64()" to specify the right length to
"proto_tree_add_item()";
give the protocol tree items for array header counts and offsets
the correct offsets in the packet.
svn path=/trunk/; revision=4719
dissect dcerpc UDP replies correctly - use the opnum from the
request, ont the reply (the opnum from the request is frequently
wrong in Microsoft's DCE RPC implementation);
don't crash if the packet isn't found in the hash tables;
dissect SamrLookupDomain requests properly.
svn path=/trunk/; revision=4718
the count fields in SAMR replies aren't array max_count values,
so don't display them as such;
Put conformant and conformant varying array length/offset/etc.
values into the protocol tree.
svn path=/trunk/; revision=4701
arguments to "proto_tree_add_text()", and to "proto_tree_add_XXX()" calls
that add FT_NONE or FT_PROTO items to the protocol tree, with -1.
Replace some calls to "tvb_length()" or "tvb_length_remaining()" with
calls to "tvb_reported_length()" and "tvb_reported_length_remaining()",
as those give the actual length of the data in the packet, not just the
data that happened to be captured.
svn path=/trunk/; revision=4605
"epan/..." pathnames, so as to avoid collisions with header files in any
of the directories in which we look (e.g., "proto.h", as some other
package has its own "proto.h" file which it installs in the top-level
include directory).
Don't add "-I" flags to search "epan", as that's no longer necessary
(and we want includes of "epan" headers to fail if the "epan/" is left
out, so that we don't re-introduce includes lacking "epan/").
svn path=/trunk/; revision=4586
DOS error codes to the table of them, and exporting that table to other
dissectors for protocols using DOS error codes.
svn path=/trunk/; revision=4470
don't call the subdissector (or even create a subtree for the protocol)
if it's not enabled.
Save the current protocol string, and set it to the string for the
subdissector's protocol, before calling the subdissector, and restore it
after the subdissector returns.
svn path=/trunk/; revision=4418
structure to the "packet_info" structure; only stuff that's permanently
stored with each frame should be in the "frame_data" structure, and the
"column_info" structure is not guaranteed to hold the column values for
that frame at all times - it was only in the "frame_data" structure so
that it could be passed to dissectors, and, as all dissectors are now
passed a pointer to a "packet_info" structure, it could just as well be
put in the "packet_info" structure.
That saves memory, by shrinking the "frame_data" structure (there's one
of those per frame), and also lets us clean up the code a bit.
svn path=/trunk/; revision=4370
indicate that it's to be used for SMB transactions; a different table,
using different dissectors, would be needed for, say, reads and writes
over a named pipe, as those are byte streams and SMB transactions are
packets, so the dissectors for the first one need to worry about
multiple PDUs per segment and desegmentation, while the dissectors for
the second one don't - and, in fact, can't do desegmentation stuff.
svn path=/trunk/; revision=4286
o Modifies the dcerpc handoff to subdissectors slightly. It
also needs to pass the data representation to the
subdissector. Also, if no subdissector is found, it puts a
"Stub data" entry in the tree.
o Adds optional TCP desegmentation to the dcerpc layer. Note
that dcerpc has it's own ability to fragment PDUs. This isn't
for dealing with that, but with the case of a single PDU being
broken over more than one TCP segment.
o Adds a little bit of dissection to packet-dcerpc-epm.c.
Mainly just proof of concept for the dcerpc handoff stuff.
(Writing this is how I realized the need for the drep.)
o Adds packet-dcerpc-ndr.c, which will contain NDR dissection
routines for use by subdissectors.
Also, support added for multiple PDUs per segment for DCERPC-over-TCP
(and, potentially, other byte-stream transports).
svn path=/trunk/; revision=4285
Fixes a typo in the offset used for the floating point byte
(offset should be offset+1), changes cn_drep* to just drep*
(since it's the same for connection oriented and connectionless
packets), and adds the corresponding code to the connectionless
side of things.
svn path=/trunk/; revision=3998
DCE RPC protocol tree for the stub data.
Use the counts of context items and transfer syntax items when
dissecting a bind or alter context PDU.
In bind and alter context PDUs, create the conversation, attach the
context ID and interface to it, and put the interface information into
the Info column as soon as the first context item is dissected, so that
if we get an exception after that, we've still processed the context ID
and interface information.
Use the count of results when dissecting a bind ack PDU.
In bind ack PDUs, dissect the transfer syntax and syntax version fields,
and put the opnum and context ID information into the Info column as
soon as it's dissected.
When dissecting a connection-oriented request or response, don't make
the tvbuff the full fragment length if we don't have that much data in
the frame being dissected. (We should do TCP reassembly there,
eventually.)
In connection-oriented response PDUs, put the opnum and context ID
information into the Info column as soon as it's dissected.
svn path=/trunk/; revision=3982
packets.
Make a "dissect_netbios_payload()" routine, called from the
NetBIOS-over-802.2 (NBF), NetBIOS-over-IPX, and NetBIOS-over-TCP
dissectors. Take Todd Sabin's changes to add a heuristic dissector list
to the NBSS dissector, and apply them to "dissect_netbios_payload()"
instead. Make the SMB dissector heuristic, returning FALSE if it
doesn't see 0xFF S M B at the beginning of the packet, and have
"dissect_netbios_payload()" first try the heuristic dissector list, then
try the SMB dissector if no other heuristic dissector claims the packet,
then just dissect the payload as data.
From Todd Sabin: have the DCE/RPC dissector register as a heuristic
dissector for NetBIOS.
svn path=/trunk/; revision=3969
of protocol-id-plus-datum pairs, so that multiple protocols can attach
information to the same conversation.
Dissectors that attach information to a conversation should not assume
that if they find a conversation it has one of its data attached to it;
the conversation might've been created by another dissector.
svn path=/trunk/; revision=3901
themselves with the DCE RPC dissector, and support for some of the
protocols atop DCE RPC that are part of DCE RPC, from Todd Sabin.
svn path=/trunk/; revision=3681
There's no need to clear the Info column right before setting it; we
don't use any information from the packet other than stuff we've already
determined is there (as part of the heuristic test for a DCE RPC
packet), so there's no risk that we'll throw an exception before the
Info column is set.
Use "col_set_str()", rather than "col_add_str()" or "col_add_fstr()", to
set the Protocol and Info columns.
svn path=/trunk/; revision=3145
Ronnie Sahlberg