Bhatia, Deepak wrote:
We want to build a software package which can decode the
recorded traces of DCR RPC protocol between Client and Server.
Also the software package should be able to handle run time
features of the DCE RPC Protocol which we call as dynamic session
variables.
I want to do what this paper describes.
"This paper" presumably refers to the attached paper.
Unfortunately, the attachment is in Microsoft's TNEF (Transport-Neutral
Encapsulation Format).
Fortunately, I happen to have an application on my Mac called "TNEF's
Enough" to extract it; there's also a command-line tool I used when I
was using FreeBSD to read my mail.
The references to "Mac" and "FreeBSD", however, mean "not Windows"; if
one can configure one's Windows mail software *not* to use TNEF, that'd
probably make it easier for the many many non-Windows users on this list
to read attachments.
The paper in question is "An Environment for 'Sniffing' DCE-RPC
Traffic", available at
http://www.citi.umich.edu/techreports/reports/citi-tr-93-4.pdf
What it describes is
1) using a 1993-vintage version of the Network General Sniffer, which
didn't include a DCE RPC dissector, so they had to write a DCE RPC
dissector for it, *and*, apparently, had to hack in support for what're
called "heuristic" dissectors, in order to handle the fact that DCE RPC
can use arbitrary ports - they also modified the OSF's IDL compiler to
generate dissectors for particular DCE RPC-based protocols based on the
OSF IDL for the protocol;
2) modifying AIX's ipreport program to do similar types of DCE RPC
dissection.
Ethereal already *has* a DCE RPC dissector, which is a heuristic
dissector, so Ethereal already *has* much of what the paper describes.
Ronnie's been working on something to take Samba IDL for DCE RPC-based
protocols and generate dissectors for those protocols; the dissectors we
have for DCE RPC-based protocols were written by hand.
So Ethereal can already "decode the recorded traces of DCE RPC protocol
between Client and Server" to the extent of being able to dissect the
DCE RPC protocol itself. If Ethereal also has a dissector for the
*particular* DCE RPC-based protocol being used, it can dissect that
protocol as well; if it doesn't have such a dissector, it will only
dissect the DCE RPC headers, not the stub data in calls and replies.
I don't know what the "run time features of the DCE RPC Protocol which
we call as dynamic session variables" are - Googling for
"dynamic session variable" dce
and
"dynamic session variable" dcerpc
found nothing - so I can't say whether Ethereal already supports that or
not.