Ethereal-dev: Re: [Ethereal-dev] Patch to packet-dcerpc-oxid.c
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Yaniv Kaul <ykaul@xxxxxxxxxxxx>
Date: Wed, 24 Sep 2003 09:46:12 +0200
Strange, I've had that file attached. Anyway, please find both files - this time diff'ed against 0.9.15. Y. Guy Harris wrote:
On Sep 23, 2003, at 4:45 AM, Yaniv Kaul wrote:This patch adds the almost full dissection of OXID operation #5. 1. I don't know what operation it is, exactly (hence '#5'...).2. I've got two 8 bytes arrays which I'm not sure of their functionality.Otherwise, the packet is fully dissected. In addition, I've added packet-dcerpc-dcom.h...but it's not attached to your message.
--- packet-dcerpc-oxid.orig.c Tue Sep 23 13:48:29 2003 +++ packet-dcerpc-oxid.c Tue Sep 23 13:58:26 2003 @@ -2,7 +2,7 @@ * Routines for DCOM OXID Resolver * Copyright 2001, Todd Sabin <tas@xxxxxxxxxxx> * - * $Id: packet-dcerpc-oxid.c,v 1.7 2003/08/04 02:49:02 tpot Exp $ + * $Id: packet-dcerpc-oxid.c,v 1.6 2003/06/26 04:30:28 tpot Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@xxxxxxxxxxxx> @@ -32,21 +32,206 @@ #include <glib.h> #include <epan/packet.h> #include "packet-dcerpc.h" +#include "packet-dcerpc-dcom.h" +#include "packet-smb-common.h" static int proto_oxid = -1; static int hf_opnum = -1; +static int hf_COMVERSION_MjrVer = -1; +static int hf_COMVERSION_MnrVer = -1; +static int hf_wNumEntries = -1; +static int hf_wSecurityOffset = -1; +static int hf_wTowerId = -1; +static int hf_aNetworkAddr = -1; +static int hf_wAuthnSvc = -1; +static int hf_wAuthzSvc = -1; +static int hf_aPrinceName = -1; +static int hf_Unknown1 = -1; +static int hf_Unknown2 = -1; static gint ett_oxid = -1; static e_uuid_t uuid_oxid = { 0x99fcfec4, 0x5260, 0x101b, { 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a } }; static guint16 ver_oxid = 0; +static const char * +authz_val2str(unsigned short authz) { + switch (authz) { + case 0: + return "RPC_C_AUTHZ_NONE"; + break; + case 1: + return "RPC_C_AUTHZ_NAME"; + break; + case 2: + return "RPC_C_AUTHZ_DCE"; + break; + case 0xffff: + return "Default"; + break; + default: + return "Unknown"; + break; + } +} + +static const char * +authn_val2str(unsigned short authn) { + switch (authn) { + case 0: + return "RPC_C_AUTHN_NONE"; + break; + case 1: + return "RPC_C_AUTHN_DCE_PRIVATE"; + break; + case 2: + return "RPC_C_AUTHN_DCE_PUBLIC"; + break; + case 4: + return "RPC_C_AUTHN_DEC_PUBLIC"; + break; + case 9: + return "RPC_C_AUTHN_GSS_NEGOTIATE"; + break; + case 10: + return "RPC_C_AUTH_WINNT"; + break; + case 14: + return "RPC_C_AUTHN_GSS_SCHANNEL"; + break; + case 16: + return "RPC_C_AUTHN_GSS_KERBEROS"; + break; + case 17: + return "RPC_C_AUTHN_MSN"; + break; + case 18: + return "RPC_C_AUTHN_DPA"; + break; + case 100: + return "RPC_C_AUTHN_MQ"; + break; + case 0xffff: + return "RPC_C_AUTHN_DEFAULT"; + break; + default: + return "Unknown"; + break; + } +} + +static const char * +towerid_val2str(unsigned short tower) { + switch (tower) { + case 0x4: + return "NCACN_DNET_NSP"; + break; + case 0x7: + return "NCACN_IP_TCP"; + break; + case 0x8: + return "NCADG_IP_UDP"; + break; + case 0xC: + return "NCACN_SPX"; + break; + + case 0xD: + return "NCACN_NB_IPX"; + break; + case 0xE: + return "NCADG_IPX"; + break; + case 0x12: + return "NCACN_NB_NB"; + break; + case 0x1F: + return "NCACN_HTTP"; + break; + default: + return "Unknown"; + break; + } +} + +static int +oxid5_dissect_rply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, char *drep) { + COMVERSION comver; + DUALSTRINGARRAY stringarray; + STRINGBINDING stringbind; + SECURITYBINDING securitybind; + proto_item *bind_hdr, *entries_hdr, *sec_hdr; + proto_tree *bind_tree, *entries_tree, *sec_tree; + char *aNetworkAddr = NULL; + char *aPrinceName = NULL; + unsigned short string_len = 0; + unsigned short security_len = 0; + unsigned char unknown1[8]; + unsigned char unknown2[8]; + + dissect_dcerpc_uint16(tvb, offset, pinfo, tree, drep, hf_COMVERSION_MjrVer, &comver.MajorVersion); + offset += sizeof(comver.MajorVersion); + + dissect_dcerpc_uint16(tvb, offset, pinfo, tree, drep, hf_COMVERSION_MnrVer, &comver.MinorVersion); + offset += sizeof(comver.MinorVersion); + + dissect_dcerpc_uint64(tvb , offset, pinfo, tree, drep, hf_Unknown1, unknown1); + + offset += sizeof(unknown1); /*FIXME - understand what those 8 bytes mean! don't skip'em!*/ + string_len = dcerpc_tvb_get_ntohs(tvb, offset, drep) * 2; + bind_hdr = proto_tree_add_text(tree, tvb, offset, (int)string_len, "DUALSTRINGARRAY structure"); + bind_tree = proto_item_add_subtree(bind_hdr, 0); + + dissect_dcerpc_uint16(tvb, offset, pinfo, bind_tree, drep, hf_wNumEntries, &stringarray.wNumEntries); + offset += sizeof(stringarray.wNumEntries); + + security_len = dcerpc_tvb_get_ntohs(tvb, offset, drep) * 2; + dissect_dcerpc_uint16(tvb, offset, pinfo, bind_tree, drep, hf_wSecurityOffset, &stringarray.wSecurityOffset); + offset += sizeof(stringarray.wSecurityOffset); + + entries_hdr = proto_tree_add_text(bind_tree, tvb, offset, (int)security_len, "STRING BINDING"); + entries_tree = proto_item_add_subtree(entries_hdr, 0); + + while(tvb_get_ntohs(tvb, offset) != 0) { // check that this is not terminating zero + + stringbind.wTowerId = dcerpc_tvb_get_ntohs(tvb, offset, drep); + proto_tree_add_text(entries_tree, tvb, offset, sizeof(stringbind.wTowerId), "Network Protocol ('TowerID'): %s (0x%x)",towerid_val2str(stringbind.wTowerId), stringbind.wTowerId); + + offset += sizeof(stringbind.wTowerId); + + offset = display_unicode_string(tvb, entries_tree, offset, hf_aNetworkAddr, &aNetworkAddr); + } + offset += 2; // hop over the extra terminating zero + + sec_hdr = proto_tree_add_text(bind_tree, tvb, offset, 0, "SECURITY BINDING"); + sec_tree = proto_item_add_subtree(sec_hdr, 0); + + while(tvb_get_ntohs(tvb, offset) != 0) { + securitybind.wAuthnSvc = dcerpc_tvb_get_ntohs(tvb, offset, drep); + proto_tree_add_text(sec_tree, tvb, offset, sizeof(securitybind.wAuthnSvc), "Authentication Service: %s (0x%x)",authn_val2str(securitybind.wAuthnSvc),securitybind.wAuthnSvc); + offset += sizeof(securitybind.wAuthnSvc); + + securitybind.wAuthzSvc = dcerpc_tvb_get_ntohs(tvb, offset, drep); + proto_tree_add_text(sec_tree, tvb, offset, sizeof(securitybind.wAuthzSvc), "Authorization Service: %s (0x%x)",authz_val2str(securitybind.wAuthzSvc),securitybind.wAuthzSvc); + offset += sizeof(securitybind.wAuthzSvc); + + offset = display_unicode_string(tvb, sec_tree, offset, hf_aPrinceName, &aPrinceName); + } + offset += 2; // hop over the extra terminating zero + + dissect_dcerpc_uint64(tvb, offset, pinfo, tree, drep, hf_Unknown2, unknown2); + offset += sizeof(unknown2); + return offset; +} + static dcerpc_sub_dissector oxid_dissectors[] = { { 0, "ResolveOxid", NULL, NULL }, { 1, "SimplePing", NULL, NULL }, { 2, "ComplexPing", NULL, NULL }, { 3, "ServerAlive", NULL, NULL }, + { 4, "Operation #4", NULL, NULL }, + { 5, "Oxid Operation #5", NULL, oxid5_dissect_rply }, { 0, NULL, NULL, NULL }, }; @@ -57,8 +242,29 @@ { &hf_opnum, { "Operation", "oxid.opnum", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_COMVERSION_MjrVer, + { "COM Major Version", "oxid5.com_mjr_ver", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_COMVERSION_MnrVer, + { "COM Minor Version", "oxid5.com_mnr_ver", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_wNumEntries, + { "Total Entries length (in 16 bytes blocks)", "oxid5.NumEntries", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_wSecurityOffset, + { "Offset of Security Binding (in 16 bytes blocks)", "oxid5.SecurityOffset", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_wTowerId, + { "Network Protocol ('TowerID')", "oxid5.wTowerId", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_aNetworkAddr, + { "Network Address ('aNetworkAddr')", "oxid5.aNetworkAddr", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { &hf_wAuthnSvc, + { "Authentication Service", "oxid5.AuthnSvc", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_wAuthzSvc, + { "Autherization Service", "oxid5.AuthzSvc", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_aPrinceName, + { "aPrinceName", "oxid5.aPrinceName", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { &hf_Unknown1, + { "unknown 8 bytes 1", "oxid5.unknown1", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_Unknown2, + { "unknown 8 bytes 2", "oxid5.unknown2", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }}, }; - static gint *ett[] = { &ett_oxid }; @@ -70,6 +276,14 @@ void proto_reg_handoff_oxid (void) { + header_field_info *hf_info; + /* Register the protocol as dcerpc */ dcerpc_init_uuid (proto_oxid, ett_oxid, &uuid_oxid, ver_oxid, oxid_dissectors, hf_opnum); + + /* Set opnum strings from subdissector list */ + + hf_info = proto_registrar_get_nth(hf_opnum); + hf_info->strings = value_string_from_subdissectors( + oxid_dissectors); //, array_length(oxid_dissectors)); }
typedef struct tagCOMVERSION { guint16 MajorVersion; guint16 MinorVersion; } COMVERSION; typedef struct tagORPC_EXTENT { e_uuid_t id; guint32 size; /* guint8 data[]; */ } ORPC_EXTENT; typedef struct tagORPC_EXTENT_ARRAY { guint32 size; guint32 reserved; ORPC_EXTENT **extent; } ORPC_EXTENT_ARRAY; typedef struct tagORPCTHIS { COMVERSION version; guint32 flags; guint32 reserved1; e_uuid_t cid; ORPC_EXTENT_ARRAY *extensions; } ORPCTHIS; typedef struct tagMInterfacePointer { guint32 ulCntData; /* guint8 abData[]; */ } MInterfacePointer, *PMInterfacePointer; typedef struct tagORPCTHAT { guint32 flags; ORPC_EXTENT_ARRAY *extensions; } ORPCTHAT; typedef struct tagSTRINGBINDING { unsigned short wTowerId; // Cannot be zero. unsigned short aNetworkAddr; // Zero terminated. } STRINGBINDING; typedef struct tagSECURITYBINDING { unsigned short wAuthnSvc; // Cannot be zero. unsigned short wAuthzSvc; // Must not be zero. unsigned short aPrincName; // Zero terminated. } SECURITYBINDING; typedef struct tagDUALSTRINGARRAY { unsigned short wNumEntries; // Number of entries in array. unsigned short wSecurityOffset; // Offset of security info. /* [size_is(wNumEntries)] unsigned short aStringArray[]; */ } DUALSTRINGARRAY;
- Follow-Ups:
- Re: [Ethereal-dev] Patch to packet-dcerpc-oxid.c
- From: Guy Harris
- Re: [Ethereal-dev] Patch to packet-dcerpc-oxid.c
- References:
- [Ethereal-dev] Patch to packet-dcerpc-oxid.c
- From: Yaniv Kaul
- Re: [Ethereal-dev] Patch to packet-dcerpc-oxid.c
- From: Guy Harris
- [Ethereal-dev] Patch to packet-dcerpc-oxid.c
- Prev by Date: Re: [Ethereal-dev] rtp_analysis again
- Next by Date: Re: [Ethereal-dev] First cut at H.450 dissector
- Previous by thread: Re: [Ethereal-dev] Patch to packet-dcerpc-oxid.c
- Next by thread: Re: [Ethereal-dev] Patch to packet-dcerpc-oxid.c
- Index(es):