Ethereal-dev: [Ethereal-dev] Patch for dissecting HTTP over RPC
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Yaniv Kaul <ykaul@xxxxxxxxxxxx>
Date: Tue, 07 Dec 2004 22:56:38 +0200
Patches for packet-http.c, packet-dcerpc.c, packet-dcerpc-epm.c that add
dissection of RPC over HTTP.
In addition, the HTTP patch changes the 'Continuation' information to be
'Continuation or non HTTP traffic' , which sometimes is the case...
Index: packet-dcerpc.c
===================================================================
--- packet-dcerpc.c (revision 12680)
+++ packet-dcerpc.c (working copy)
@@ -4874,5 +4874,6 @@
heur_dissector_add ("netbios", dissect_dcerpc_cn_pk, proto_dcerpc);
heur_dissector_add ("udp", dissect_dcerpc_dg, proto_dcerpc);
heur_dissector_add ("smb_transact", dissect_dcerpc_cn_smbpipe, proto_dcerpc);
+ heur_dissector_add ("http", dissect_dcerpc_cn_bs, proto_dcerpc);
dcerpc_smb_init(proto_dcerpc);
}
Index: packet-http.c
===================================================================
--- packet-http.c (revision 12680)
+++ packet-http.c (working copy)
@@ -347,7 +347,7 @@
col_add_str(pinfo->cinfo, COL_INFO,
format_text(line, first_linelen));
else
- col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
+ col_set_str(pinfo->cinfo, COL_INFO, "Continuation or non HTTP traffic");
}
orig_offset = offset;
@@ -1239,6 +1239,9 @@
} else if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
*type = HTTP_NOTIFICATION;
isHttpRequestOrReply = TRUE;
+ } else if (strncmp(data, "RPC_CONNECT", index) == 0) {
+ *type = HTTP_REQUEST;
+ isHttpRequestOrReply = TRUE;
}
break;
Index: packet-dcerpc-epm.c
===================================================================
--- packet-dcerpc-epm.c (revision 12680)
+++ packet-dcerpc-epm.c (working copy)
@@ -67,7 +67,7 @@
static int hf_epm_proto_ip = -1;
static int hf_epm_proto_udp_port = -1;
static int hf_epm_proto_tcp_port = -1;
-
+static int hf_epm_proto_http_port = -1;
static gint ett_epm = -1;
static gint ett_epm_tower_floor = -1;
static gint ett_epm_entry = -1;
@@ -273,7 +273,7 @@
#define PROTO_ID_UNIX_DOMAIN 0x20
#define PROTO_ID_NULL 0x21
#define PROTO_ID_NETBIOS_3 0x22
-
+#define PROTO_ID_HTTP 0x1f
static const value_string proto_id_vals[] = {
{ PROTO_ID_OSI_OID, "OSI OID"},
{ PROTO_ID_DNA_SESSCTL, "DNA Session Control"},
@@ -303,6 +303,7 @@
{ PROTO_ID_UNIX_DOMAIN, "Unix Domain Socket"},
{ PROTO_ID_NULL, "null"},
{ PROTO_ID_NETBIOS_3, "NetBIOS"},
+ {PROTO_ID_HTTP, "RPC over HTTP"},
{ 0, NULL},
};
@@ -415,7 +416,11 @@
proto_tree_add_item(tr, hf_epm_proto_netbios_name, tvb, offset, len, TRUE);
proto_item_append_text(tr, "NetBIOS:%*s",MIN(len,tvb_length_remaining(tvb, offset)), tvb_get_ptr(tvb, offset, -1));
break;
-
+ case PROTO_ID_HTTP: /* RPC over HTTP */
+ proto_tree_add_item(tr, hf_epm_proto_http_port, tvb, offset, 2, FALSE);
+ proto_item_append_text(tr, "RPC over HTTP Port:%d", tvb_get_ntohs(tvb, offset));
+ break;
+
default:
if(len){
proto_tree_add_text(tr, tvb, offset, len, "not decoded yet");
@@ -707,6 +712,8 @@
{ "UDP Port", "epm.proto.udp_port", FT_UINT16, BASE_DEC, NULL, 0x0, "UDP Port where this service can be found", HFILL }},
{ &hf_epm_proto_tcp_port,
{ "TCP Port", "epm.proto.tcp_port", FT_UINT16, BASE_DEC, NULL, 0x0, "TCP Port where this service can be found", HFILL }},
+ { &hf_epm_proto_http_port,
+ { "TCP Port", "epm.proto.http_port", FT_UINT16, BASE_DEC, NULL, 0x0, "TCP Port where this service can be found", HFILL }},
{ &hf_epm_tower_rhs_len,
{ "RHS Length", "epm.tower.rhs.len", FT_UINT16, BASE_DEC, NULL, 0x0, "Length of RHS data", HFILL }},
{ &hf_epm_tower_lhs_len,
- Follow-Ups:
- Re: [Ethereal-dev] Patch for dissecting HTTP over RPC
- From: Guy Harris
- Re: [Ethereal-dev] Patch for dissecting HTTP over RPC
- From: Guy Harris
- Re: [Ethereal-dev] Patch for dissecting HTTP over RPC
- Prev by Date: [Ethereal-dev] GPRS MM & GPRS SM
- Next by Date: Re: [Ethereal-dev] GPRS MM & GPRS SM
- Previous by thread: [Ethereal-dev] Happy New Year
- Next by thread: Re: [Ethereal-dev] Patch for dissecting HTTP over RPC
- Index(es):