epoch-in-seconds value and converts it to a string.
Use that routine in the RADIUS dissector, rather than using "ctime()"
and "tzname[]" - "tzname[]" strings might contain non-ASCII characters,
which currently give the GTK+ 1.3[.x] used on Windows, and also, I
think, GTK+ 2.x, heartburn, as they expect UTF-8, not, for example, ISO
8859/1.
Fix the string length in "abs_time_to_str()".
svn path=/trunk/; revision=7124
to be correct; remove the comment about what was there not matching.
Note that the PropertyValue item in a Write Property Value request
should perhaps be omitted if MoreFlag isn't set (it appears to be
garbage if it's not set).
svn path=/trunk/; revision=7123
Added name parameter and add_subtree boolean to dissect_SYSTEM_TIME()
Decorate COL_INFO with changeid and notify information for print
notify RPCs.
svn path=/trunk/; revision=7121
shouldn't require it to exist. Instead, as we're already checking
whether we can find <pcap.h> (which is the only thing we actually
include - we rely on it to include whatever BPF headers are necessary),
we print the big "are you sure you installed the development package?"
message if we don't find "pcap.h".
svn path=/trunk/; revision=7120
given IP address if:
the MAC address is non-unicast, not just if it's broadcast;
the MAC address is all zeroes;
the IP address is all zeroes.
*Do* tell the resolver code that the target MAC address corresponds to
the target IP address in ARP replies, as long as none of the above are
true - replies are the packets most likely to contain interesting target
address information.
svn path=/trunk/; revision=7116
Hooray - I think that's the last of the spoolss specific string routines
cleaned up.
Cleanup of print notify dissections:
- rename hf variable names
- added 'job total bytes' and 'job bytes printed' filter fields
- fixed bug dissecting job notify data introduced when converting to NDR
routines
- add hidden values for notify data so that filtering on (say) printer
name brings up notify data that references it
- decorate some higher level print notify proto_items to make things look
pretty
Add printer name to ReplyOpenPrinter policy handle name.
svn path=/trunk/; revision=7113
- display more data in COL_INFO
- replaced per-RPC level fields with generic spoolss.form.level one
- put the form type value string into the hf initialisation instead
of displaying it by hand using proto_tree_add_text
- added hidden field for all forms RPCs (filter on spoolss.form to get
all form related RPCs)
- removed useless dissect_form_name() function
svn path=/trunk/; revision=7111
adds 2 levels to the tree. Fix calls to it not to add 1 for that level.
The NT and LM challenges in a NETWORK_INFO structure are opaque arrays
of bytes, not Unicode strings; dissect them as such, adding a new
routine "dissect_ndr_counted_byte_array()" for that purpose.
Get rid of some extra colons in names - the colon is put there if a
string is appended, so putting a colon in there explicitly gives double
colons.
Decorate some higher-level tree nodes with strings.
svn path=/trunk/; revision=7107
guaranteed to be aligned on a 4-byte boundary, so, if we're not
dissecting an ACE from a DCE RPC request or reply, don't use
"dissect_ndr_uint32()" to extract the access mask. (Is it guaranteed to
be so aligned even if the ACE is part of a DCE RPC message? Or are ACLs
just opaque blobs from the point of view of DCE RPC?)
Use "%u", not "%d", to print unsigned quantities.
svn path=/trunk/; revision=7106
token-ring headers; sometimes a header might look mangled when it's not.
(It'd be nice if we could detect that from the capture file;
unfortunately, there are already both mangled Linux libpcap captures
and, presumably, un-mangled non-Linux libpcap captures with the same
DLT_ value.)
svn path=/trunk/; revision=7103
Properly display the reply to a Get Name Space Information request -
there is a sequence of name space names, and a sequence of pairs of
{associated name space, data stream name}, and there are also sequences
of name space index numbers, but if we try to display anything after the
list of loaded name spaces, nothing gets displayed at all.
svn path=/trunk/; revision=7101
of their value. Provide such a method for FT_BYTES, FT_UINT_BYTES,
and FT_ETHER. Have proto_alloc_dfilter_string() use the new methods.
This is part of a movement of ftype-related code out of proto.c and
into the ftype code. The immediate effect is that generated display
filters for long byte sequences don't incorrectly have trailing periods
("...") to indicate continuation.
svn path=/trunk/; revision=7100
adding 1 to them is incorrect (and cannot possibly be correct, as that'd
rule out 0 as valid values, meaning nothing can ever happen in the first
hour after midnight or in the first minute after the hour).
svn path=/trunk/; revision=7099
"dissect_ndr_char_cvstring()" and "dissect_ndr_wchar_cvstring()", to
indicate that they're for conformant varying strings.
Rename "dissect_ndr_character_array()" to "dissect_ndr_cvstring()", to
indicate that it's for conformant varying strings.
svn path=/trunk/; revision=7096
Comparing It Against An 8-bit Or Longer Length To Make Sure It Doesn't
Go Past The Length, because if the length is 255, it can't ever go past
it as it'll overflow if it does.
svn path=/trunk/; revision=7093
Rename "dissect_ndr_element_array()" to "dissect_ndr_character_array()",
move it out of "packet-dcerpc-nt.c" to "packet-dcerpc.c", and have it
use the standard DCE RPC array max count/offset/count fields rather than
their own private versions of those fields. Give it an option to create
a subtree, and an argument to specify the field to use for the actual
data buffer, and export it.
Move the routines for handling arrays of "char" and "wchar" as strings
out of "packet-dcerpc-nt.c" to "packet-dcerpc.c".
Add a routine to handle an array of "char" as an opaque blob of bytes.
Use "dissect_ndr_character_array()" to dissect character strings in MAPI
(the strings in question are ASCII, not Unicode), and use the routine to
handle an array of "char" as an opaque blob of bytes to dissect
encrypted data (again, it's bytes, not 16-bit quantities). Show them as
encrypted data, not unknown data.
Use "dissect_ndr_character_array()" to dissect a form name in
"dissect_form_name()" in the SPOOLSS dissector.
svn path=/trunk/; revision=7091
Dissection of security descriptors in SPOOLSS RPC calls now display
the correct meaning of the specific access mask bits.
svn path=/trunk/; revision=7087
Give dissect_nt_sec_desc() and dissect_nt_access_mask() a specific rights
function parameter for dissecting specific access rights.
Fix callers in packet-smb.c to use the new interface.
svn path=/trunk/; revision=7086
and in file attributes means "this is a subdirectory"; don't mix the
two.
The 1-byte and 2-byte search attributes appear to have the same bit
definitions (except, obviously, for those that are in the topmost byte).
svn path=/trunk/; revision=7083
the ones not specified as such when used), so declare them as such
rather than specifying them as such when used.
The SearchSequenceWord also appears to be big-endian.
Note that we're not cracking the bits of a DirectoryAttributes field.
The "Subdirectory" bit in search attributes is really "Subdirectories
Only", as in "just show me subdirectories".
Note some confusion about whether the bit numbers on the Novell Web site
for search attributes are bit numbers or bit flags.
Note that we appear to have gotten back attributes for a file rather
than a directory in at least one search that had "Subdirectories Only"
set - unless the problem is that the numbers in the Novell spec are bit
numbers rather than bit flags.
Update some items that claimed to have a 2-byte search attributes field
to have a 1-byte search attributes field instead, to match the spec on
the Novell site (of course, the spec could be wrong...).
svn path=/trunk/; revision=7081
Guy Harris