Ethereal-dev: Re: [Ethereal-dev] Re: DCE RPC

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 30 May 2005 01:09:19 -0700
Bhatia, Deepak wrote:


A key component of the is the Protocol Sequence Replayer (PSR).
A key component of what? (The CITI paper you sent just describes extending a 1993-vintage version of the Network General Sniffer software, and AIX's "iptrace", to decode DCE RPC-based protocols; it doesn't say anything about replaying traces, much less replaying operation sequences, so, for what you're describing, you need to do a *LOT* more than what that paper describes.) 


The first task requires the ability to decode all protocol fields in
the various packet types used in the DCE RPC protocol.
Ethereal can do that for fields in DCE RPC itself (at least to the extent that it's publicly specified, which it is for DCE RPC 1.1, although particular authentication flavors might not be documented)... 


This implies reverse-engineering these fields for protocols that are
not fully or adequately documented.
...but it can only do that for fields in protocols that *use* DCE RPC if they're documented or reverse-engineered. 


Typically, these are the protocols that are embedded in widely used
software, such as the various versions of the Windows operating system,
the various versions of the Linux operating system, Oracle database software etc.
What not-fully-documented DCE RPC protocols are used in Oracle? (The only ones I know of in Linux are those used by Samba, which are the Windows protocols.)
In any case, Ethereal knows nothing about replaying packet sequences. You could perhaps use Ethereal's dissectors to analyze DCE RPC-based protocols (if they're documented or reverse-engineered), but you'd have to write your own code either to modify those packets or to generate your own packets, and to send them - Ethereal contains no code whatsoever to help with that. 


The second task requires understanding which fields in the protocol
are Dynamic Session Variables. A dynamic session variable is a field
whose value may change in multiple identical runs of the same
protocol sequence. Examples of dynamic session variables include the
dynamically assigned TCP port for FTP data channels, session or
transaction IDs in RPC or database protocols, dynamically assigned
ports in RPC protocols, etc. Once a set of DSVs have been identified
for a protocol, the plug-in needs to be able to dynamically
substitute these values from recorded traces into the packets that
are sent for replay based on the requirements of the protocol.
Ethereal - and its dissectors - contain no code whatsoever to do any of that, nor does it have a framework for doing any of that. You would have to implement all of that yourself.
BTW, FTP is not a DCE RPC-based protocol; does this question really have anything to do with DCE RPC in particular, or is this really a question about Etheral dissectors as a whole? Even if it does, the same answers apply.