[Tim Potter <tpot@xxxxxxxxxxx>]

Todd Sabin writes:

> Cool.  Do you still have the patch lying around somewhere?  Can you
> send me what you've got so far?

OK - I'll send it in a separate email so as not to spam the
list too much.  It's kind of large.

> > I ended up getting annoyed at not having a DCE/RPC idl compiler
> > that could generate a custom back end (i.e an ethereal dissector)
> > so ethereal could become a better netmon.
> 
> Well, don't give up yet.  I don't have a full IDL compiler finished,
> but I don't think making ethereal better than netmon fairly soon
> requires that.  I don't think a similar beast exists for netmon,
> outside of MS, for example.  Do you know of one?

It will make it much much easier though.  Trying to maintaing
tens of thousands of hand marshalled code (i.e the Samba MSRPC
implementation) is not much fun.

Microsoft use the MIDL.EXE compiler to produces stuff that
actually compiles but it pretty ugly looking.  Luke Leighton has
pointed out http://freedce.sourceforge.net/ which contains a
DCE/RPC IDL compiler for Unix.  I've yet to take a serious look
at it though.

> I find just having the names of the functions being called is a
> tremendous help.  I've written netmon parsers to do that for samr,
> winreg, and a few others.  Dissecting all the parameters would be
> ideal, of course, but even the parsers supplied with netmon often get
> those wrong.
> 
> Once these SMB issues are ironed out, I'll work up very basic
> dissectors for lsarpc, samr, winreg, wkssvc, etc.

I did a couple of lsa functions by hand - it was pretty cool
seeing ethereal decode them.  (-:

> I also want to replace packet-mapi with something that actually works,
> but that's separate from the SMB stuff.

You're half way there getting the MS DCE/RPC stuff going though.


Tim.

> Todd