["Bhatia, Deepak" <Deepak.Bhatia@xxxxxxxxx>]

No we don't want to build a module for ethereal. We have an application called HP Openview
which uses application layer protocol DCE RPC to communicate.
 
Now we have traces which are communication between HP Openview client (Network Manager)
and HP Openview server (Agents).
 
Our plugin should be able to decode the DCE RPC protocol communication traces between
Network Manager and Agent.
 
Regards
 
Deepak Bhatia

________________________________

From: ethereal-dev-bounces@xxxxxxxxxxxx on behalf of ronnie sahlberg
Sent: Mon 5/30/2005 1:31 PM
To: Bhatia, Deepak
Cc: Ethereal development
Subject: Re: [Ethereal-dev] Re: DCE RPC



ok,

so what you essentially want to do is
build a module for ethereal that can replay recorded DCERPC sequences
to a DCERPC server.

I assume this is in order to replay DCERPC transactions between a host
running the
PSR application and either a windows host or a unix dce/dfs implementation.
(since these are the only widely used DCE implementations today in
existence (well unix dce/dfs is not exactly in wide use but anyway).

This is virtually impossible.
In both cases  before you can issue or replay any commands whatsoever
to the DCE endpoint you must authenticate.
Authentication involved in both cases generation of GSS-KRB tokens
which is impossible unless you know the plaintext password or have
access to the (in case of dce/dfs) keytab file for the host).

GSS-KRB has replay protection so it is just not possible to replay a
captured authentication token. GSS-KRB would be pointless if it didnt.


The only way in theory that would work would be to
start by a full blown dce implementation, then add a lot of code to
intercept and decode all data structures.
Then   using the plaintext password (which can not be extracted from
the capture) generate completely new authentication tokens 
remarshalling  the packets etc.

It is just impossible to replay DCE sessions.



Why do you want to replay DCE sessions?
Without knowing the plaintext password of the host whose traffic you
want to replay  or the secret keytab file of that host,    any and all
replaying of packets would be equivalent to launching a flood ping to
the receiving host.






On 5/30/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
>
> Hi Ronnie,
>
> Below mentions what I intend to do...................Regards Deepak
>
> A key component of the is the Protocol Sequence Replayer (PSR). The job of the PSR is to take a
> set of recorded traces and create a replay sequence against a machine similar to the
> destination system in the protocol sequences.
>
>
> The first task requires the ability to decode all protocol fields in the various packet types used in the DCE RPC protocol.
>
> This implies reverse-engineering these fields for protocols that are not fully or adequately documented.
>
> Typically, these are the protocols that are embedded in widely used software, such as the
>
> various versions of the Windows operating system, the various versions of the Linux operating system,
>
> Oracle database software etc.
>
>
>
> The second task requires understanding which fields in the protocol are Dynamic Session Variables.
> A dynamic session variable is a field whose value may change in multiple identical runs of
> the same protocol sequence. Examples of dynamic session variables include the dynamically assigned
> TCP port for FTP data channels, session or transaction IDs in RPC or database protocols, dynamically
> assigned ports in RPC protocols, etc. Once a set of DSVs have been identified for a protocol,
> the plug-in needs to be able to dynamically substitute these values from recorded traces into the
> packets that are sent for replay based on the requirements of the protocol.
>
> Regards
>
> Deepak Bhatia
>
>
>
>
> ________________________________
>
> From: ethereal-dev-bounces@xxxxxxxxxxxx on behalf of ronnie sahlberg
> Sent: Sun 5/29/2005 11:45 AM
> To: Ethereal development
> Subject: [Ethereal-dev] Re: DCE RPC
>
>
>
> What are you planning to do?
> Your question seems to indicate you want to build a freestanding
> dce/rpc implementation, something that is impossible with the ethereal
> code.
>
> Yes, ethereal does contain dce/rpc code, lots of it.
> However, the problemspace ethereal faces is vastly different from a
> freestanding dce implementation, thus the dce support in ethereal is
> factored to only address the very limited requirements of ethereal.
> The ethereal dce implementation is a very reduced functionality
> implementation that is focused on ONLY providing unmarshalling of data
> and nothing else.
> It does this quite well however, but a full implementation of dce
> mandates a completely different implementation.
>
> Full dce and runtime is a major undertaking, I estimate it would take
> for someone good and very experienced in dce about 2 man years to
> build.
> 20+ manyears if the implementors are not very good or not familiar with dce.
> Compare this with the adapted-to-ethereals-problem-space
> implementation of base dce that only took ~6 man months all in all to
> write.
> including a whole bunch of actual dce interfaces/protocols.
>
>
> Ethereals dce source code can be used to implement a dce dissector for
> etheral, no more no less. If you want to do anything beyond building a
> dce-interface dissector for ethereal, the source code for dce in
> ethereal is of no use for you.
>
>
> please qualify your question:
> exactly what do you want do do with the soucecode in ethereal for DCE?
> 1,  build a dissector for a dce interface for ethereal? yes that is easy.
> 2,  build a dce runtime and environment to interact in a dce
> environment? no that is impossible.
>
> Ethereal sourcecode for dce is complete enough for ethereal
> unmarshalling-only use and can even handle full pointers properly,
> smething which not even MS implementation can do.
> But it is factored and limited in such a way that any use beyond that
> is impossible.
>
>
> If you want a full freestanding dce implementation   that actually
> talks and interacts in a dce environment it is better to start from
> scratch.
> (yes, Guy mentioned the now released full implementation from
> TheOpenGroup but if you look at that code that is designed by committe
>   it is still quicker to start from scratch and probably better
> quality as well unless your developers have suboptimal experience)
> ((my brain is still hurting from looking briefly at the DCE code from
> them a few years ago))
>
>
> On 5/29/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> > Hi,
> >
> > I am not able to understand "but only for unmarshalling
> > of dce interfaces" ?
> >
> > Regards
> >
> > Deepak
> >
> >
> > -----Original Message-----
> > From: ethereal-dev-bounces@xxxxxxxxxxxx on behalf of Bhatia, Deepak
> > Sent: Fri 5/27/2005 3:57 PM
> > To: ronnie sahlberg; Ethereal development
> > Subject: RE: [Ethereal-dev] Re: DCE RPC
> >
> > Hi,
> >
> > Can we get the protocol parameters ny ummarshelling the dce rpc interfaces
> > and can do dissection of the protocol ?
> >
> > Regards
> >
> > Deepak Bhatia
> >
> > -----Original Message-----
> > From: ethereal-dev-bounces@xxxxxxxxxxxx
> > [mailto:ethereal-dev-bounces@xxxxxxxxxxxx]On Behalf Of ronnie sahlberg
> > Sent: Friday, May 27, 2005 3:55 PM
> > To: Ethereal development
> > Subject: [Ethereal-dev] Re: DCE RPC
> >
> >
> > yes,
> > but only for unmarshalling of dce interfaces.
> >
> > it can not be used for a freestanding implementation since the
> > standard runtime and marshalling has not been implemented and would be
> > useless bloat for ethereal anyway.
> >
> >
> > On 5/27/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> > > Hi,
> > >
> > > Do we have source code available for DCE RPC in ethereal ?
> > >
> > > Regards
> > >
> > > Deepak Bhatia
> > > Software Consultant
> > > Patni Computer Systems Limited
> > > A-39/40, Sector 16, Noida, 201301
> > > Ph. 91 120 2516 880-3
> > > Fax. 91 120 2516 890
> > > Mobile. 91 98111 96957
> > >
> > >
> > > http://www.patni.com
> > > World-Wide Partnerships. World-Class Solutions.
> > > _____________________________________________________________________
> > >
> > > This e-mail message may contain proprietary, confidential or legally
> > > privileged information for the sole use of the person or entity to
> > > whom this message was originally addressed. Any review, e-transmission
> > > dissemination or other use of or taking of any action in reliance upon
> > > this information by persons or entities other than the intended
> > > recipient is prohibited. If you have received this e-mail in error
> > > kindly delete  this e-mail from your records. If it appears that this
> > > mail has been forwarded to you without proper authority, please notify
> > > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > > _____________________________________________________________________
> > >
> > >
> >
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> >
> > http://www.patni.com
> > World-Wide Partnerships. World-Class Solutions.
> > _____________________________________________________________________
> >
> > This e-mail message may contain proprietary, confidential or legally
> > privileged information for the sole use of the person or entity to
> > whom this message was originally addressed. Any review, e-transmission
> > dissemination or other use of or taking of any action in reliance upon
> > this information by persons or entities other than the intended
> > recipient is prohibited. If you have received this e-mail in error
> > kindly delete  this e-mail from your records. If it appears that this
> > mail has been forwarded to you without proper authority, please notify
> > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > _____________________________________________________________________
> >
> >
> > http://www.patni.com
> > World-Wide Partnerships. World-Class Solutions.
> > _____________________________________________________________________
> >
> > This e-mail message may contain proprietary, confidential or legally
> > privileged information for the sole use of the person or entity to
> > whom this message was originally addressed. Any review, e-transmission
> > dissemination or other use of or taking of any action in reliance upon
> > this information by persons or entities other than the intended
> > recipient is prohibited. If you have received this e-mail in error
> > kindly delete  this e-mail from your records. If it appears that this
> > mail has been forwarded to you without proper authority, please notify
> > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > _____________________________________________________________________
> >
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
>
>
> http://www.patni.com
> World-Wide Partnerships. World-Class Solutions.
> _____________________________________________________________________
>
> This e-mail message may contain proprietary, confidential or legally
> privileged information for the sole use of the person or entity to
> whom this message was originally addressed. Any review, e-transmission
> dissemination or other use of or taking of any action in reliance upon
> this information by persons or entities other than the intended
> recipient is prohibited. If you have received this e-mail in error
> kindly delete  this e-mail from your records. If it appears that this
> mail has been forwarded to you without proper authority, please notify
> us immediately at Netadmin@xxxxxxxxx and delete this mail.
> _____________________________________________________________________
>
>

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev



http://www.patni.com
World-Wide Partnerships. World-Class Solutions.
_____________________________________________________________________

This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete  this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at Netadmin@xxxxxxxxx and delete this mail.
_____________________________________________________________________

<<inline: winmail.dat>>