[ronnie sahlberg <ronniesahlberg@xxxxxxxxx>]

Previously you said you wanted to replay recorded DCE command
sequences, now you say you want to decode DCE packets for a certain
DCE interface?

You do not want to add this as a decode/dissector module for ethereal?
so to what tool/application do you plan to add this feature?

Anyway, if you change your mind and want to add decode of these
packets to ethereal what you need to do is :
1, reverse engineer the protocol used ontop of DCE/RPC. I.e. not
DCE/RPC  but the protocol used ontop of DCE/RPC
2, use the reverse engineered data and produce an IDL protocol
interface description file.
3, use an idl compiler to compile the IDL definition into an ethereal
decoder/dissector.


I seriously doubt that HPOpenView is using DCE/RPC.


On 5/30/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> No we don't want to build a module for ethereal. We have an application called HP Openview
> which uses application layer protocol DCE RPC to communicate.
> 
> Now we have traces which are communication between HP Openview client (Network Manager)
> and HP Openview server (Agents).
> 
> Our plugin should be able to decode the DCE RPC protocol communication traces between
> Network Manager and Agent.
> 
> Regards
> 
> Deepak Bhatia
> 
> ________________________________
> 
> From: ethereal-dev-bounces@xxxxxxxxxxxx on behalf of ronnie sahlberg
> Sent: Mon 5/30/2005 1:31 PM
> To: Bhatia, Deepak
> Cc: Ethereal development
> Subject: Re: [Ethereal-dev] Re: DCE RPC
> 
> 
> 
> ok,
> 
> so what you essentially want to do is
> build a module for ethereal that can replay recorded DCERPC sequences
> to a DCERPC server.
> 
> I assume this is in order to replay DCERPC transactions between a host
> running the
> PSR application and either a windows host or a unix dce/dfs implementation.
> (since these are the only widely used DCE implementations today in
> existence (well unix dce/dfs is not exactly in wide use but anyway).
> 
> This is virtually impossible.
> In both cases  before you can issue or replay any commands whatsoever
> to the DCE endpoint you must authenticate.
> Authentication involved in both cases generation of GSS-KRB tokens
> which is impossible unless you know the plaintext password or have
> access to the (in case of dce/dfs) keytab file for the host).
> 
> GSS-KRB has replay protection so it is just not possible to replay a
> captured authentication token. GSS-KRB would be pointless if it didnt.
> 
> 
> The only way in theory that would work would be to
> start by a full blown dce implementation, then add a lot of code to
> intercept and decode all data structures.
> Then   using the plaintext password (which can not be extracted from
> the capture) generate completely new authentication tokens
> remarshalling  the packets etc.
> 
> It is just impossible to replay DCE sessions.
> 
> 
> 
> Why do you want to replay DCE sessions?
> Without knowing the plaintext password of the host whose traffic you
> want to replay  or the secret keytab file of that host,    any and all
> replaying of packets would be equivalent to launching a flood ping to
> the receiving host.
> 
> 
> 
> 
> 
> 
> On 5/30/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> >
> > Hi Ronnie,
> >
> > Below mentions what I intend to do...................Regards Deepak
> >
> > A key component of the is the Protocol Sequence Replayer (PSR). The job of the PSR is to take a
> > set of recorded traces and create a replay sequence against a machine similar to the
> > destination system in the protocol sequences.
> >
> >
> > The first task requires the ability to decode all protocol fields in the various packet types used in the DCE RPC protocol.
> >
> > This implies reverse-engineering these fields for protocols that are not fully or adequately documented.
> >
> > Typically, these are the protocols that are embedded in widely used software, such as the
> >
> > various versions of the Windows operating system, the various versions of the Linux operating system,
> >
> > Oracle database software etc.
> >
> >
> >
> > The second task requires understanding which fields in the protocol are Dynamic Session Variables.
> > A dynamic session variable is a field whose value may change in multiple identical runs of
> > the same protocol sequence. Examples of dynamic session variables include the dynamically assigned
> > TCP port for FTP data channels, session or transaction IDs in RPC or database protocols, dynamically
> > assigned ports in RPC protocols, etc. Once a set of DSVs have been identified for a protocol,
> > the plug-in needs to be able to dynamically substitute these values from recorded traces into the
> > packets that are sent for replay based on the requirements of the protocol.
> >
> > Regards
> >
> > Deepak Bhatia
> >
> >
> >
> >
> > ________________________________
> >
> > From: ethereal-dev-bounces@xxxxxxxxxxxx on behalf of ronnie sahlberg
> > Sent: Sun 5/29/2005 11:45 AM
> > To: Ethereal development
> > Subject: [Ethereal-dev] Re: DCE RPC
> >
> >
> >
> > What are you planning to do?
> > Your question seems to indicate you want to build a freestanding
> > dce/rpc implementation, something that is impossible with the ethereal
> > code.
> >
> > Yes, ethereal does contain dce/rpc code, lots of it.
> > However, the problemspace ethereal faces is vastly different from a
> > freestanding dce implementation, thus the dce support in ethereal is
> > factored to only address the very limited requirements of ethereal.
> > The ethereal dce implementation is a very reduced functionality
> > implementation that is focused on ONLY providing unmarshalling of data
> > and nothing else.
> > It does this quite well however, but a full implementation of dce
> > mandates a completely different implementation.
> >
> > Full dce and runtime is a major undertaking, I estimate it would take
> > for someone good and very experienced in dce about 2 man years to
> > build.
> > 20+ manyears if the implementors are not very good or not familiar with dce.
> > Compare this with the adapted-to-ethereals-problem-space
> > implementation of base dce that only took ~6 man months all in all to
> > write.
> > including a whole bunch of actual dce interfaces/protocols.
> >
> >
> > Ethereals dce source code can be used to implement a dce dissector for
> > etheral, no more no less. If you want to do anything beyond building a
> > dce-interface dissector for ethereal, the source code for dce in
> > ethereal is of no use for you.
> >
> >
> > please qualify your question:
> > exactly what do you want do do with the soucecode in ethereal for DCE?
> > 1,  build a dissector for a dce interface for ethereal? yes that is easy.
> > 2,  build a dce runtime and environment to interact in a dce
> > environment? no that is impossible.
> >
> > Ethereal sourcecode for dce is complete enough for ethereal
> > unmarshalling-only use and can even handle full pointers properly,
> > smething which not even MS implementation can do.
> > But it is factored and limited in such a way that any use beyond that
> > is impossible.
> >
> >
> > If you want a full freestanding dce implementation   that actually
> > talks and interacts in a dce environment it is better to start from
> > scratch.
> > (yes, Guy mentioned the now released full implementation from
> > TheOpenGroup but if you look at that code that is designed by committe
> >   it is still quicker to start from scratch and probably better
> > quality as well unless your developers have suboptimal experience)
> > ((my brain is still hurting from looking briefly at the DCE code from
> > them a few years ago))
> >
> >
> > On 5/29/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> > > Hi,
> > >
> > > I am not able to understand "but only for unmarshalling
> > > of dce interfaces" ?
> > >
> > > Regards
> > >
> > > Deepak
> > >
> > >
> > > -----Original Message-----
> > > From: ethereal-dev-bounces@xxxxxxxxxxxx on behalf of Bhatia, Deepak
> > > Sent: Fri 5/27/2005 3:57 PM
> > > To: ronnie sahlberg; Ethereal development
> > > Subject: RE: [Ethereal-dev] Re: DCE RPC
> > >
> > > Hi,
> > >
> > > Can we get the protocol parameters ny ummarshelling the dce rpc interfaces
> > > and can do dissection of the protocol ?
> > >
> > > Regards
> > >
> > > Deepak Bhatia
> > >
> > > -----Original Message-----
> > > From: ethereal-dev-bounces@xxxxxxxxxxxx
> > > [mailto:ethereal-dev-bounces@xxxxxxxxxxxx]On Behalf Of ronnie sahlberg
> > > Sent: Friday, May 27, 2005 3:55 PM
> > > To: Ethereal development
> > > Subject: [Ethereal-dev] Re: DCE RPC
> > >
> > >
> > > yes,
> > > but only for unmarshalling of dce interfaces.
> > >
> > > it can not be used for a freestanding implementation since the
> > > standard runtime and marshalling has not been implemented and would be
> > > useless bloat for ethereal anyway.
> > >
> > >
> > > On 5/27/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> > > > Hi,
> > > >
> > > > Do we have source code available for DCE RPC in ethereal ?
> > > >
> > > > Regards
> > > >
> > > > Deepak Bhatia
> > > > Software Consultant
> > > > Patni Computer Systems Limited
> > > > A-39/40, Sector 16, Noida, 201301
> > > > Ph. 91 120 2516 880-3
> > > > Fax. 91 120 2516 890
> > > > Mobile. 91 98111 96957
> > > >
> > > >
> > > > http://www.patni.com
> > > > World-Wide Partnerships. World-Class Solutions.
> > > > _____________________________________________________________________
> > > >
> > > > This e-mail message may contain proprietary, confidential or legally
> > > > privileged information for the sole use of the person or entity to
> > > > whom this message was originally addressed. Any review, e-transmission
> > > > dissemination or other use of or taking of any action in reliance upon
> > > > this information by persons or entities other than the intended
> > > > recipient is prohibited. If you have received this e-mail in error
> > > > kindly delete  this e-mail from your records. If it appears that this
> > > > mail has been forwarded to you without proper authority, please notify
> > > > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > > > _____________________________________________________________________
> > > >
> > > >
> > >
> > > _______________________________________________
> > > Ethereal-dev mailing list
> > > Ethereal-dev@xxxxxxxxxxxx
> > > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> > >
> > > http://www.patni.com
> > > World-Wide Partnerships. World-Class Solutions.
> > > _____________________________________________________________________
> > >
> > > This e-mail message may contain proprietary, confidential or legally
> > > privileged information for the sole use of the person or entity to
> > > whom this message was originally addressed. Any review, e-transmission
> > > dissemination or other use of or taking of any action in reliance upon
> > > this information by persons or entities other than the intended
> > > recipient is prohibited. If you have received this e-mail in error
> > > kindly delete  this e-mail from your records. If it appears that this
> > > mail has been forwarded to you without proper authority, please notify
> > > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > > _____________________________________________________________________
> > >
> > >
> > > http://www.patni.com
> > > World-Wide Partnerships. World-Class Solutions.
> > > _____________________________________________________________________
> > >
> > > This e-mail message may contain proprietary, confidential or legally
> > > privileged information for the sole use of the person or entity to
> > > whom this message was originally addressed. Any review, e-transmission
> > > dissemination or other use of or taking of any action in reliance upon
> > > this information by persons or entities other than the intended
> > > recipient is prohibited. If you have received this e-mail in error
> > > kindly delete  this e-mail from your records. If it appears that this
> > > mail has been forwarded to you without proper authority, please notify
> > > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > > _____________________________________________________________________
> > >
> >
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> >
> >
> >
> > http://www.patni.com
> > World-Wide Partnerships. World-Class Solutions.
> > _____________________________________________________________________
> >
> > This e-mail message may contain proprietary, confidential or legally
> > privileged information for the sole use of the person or entity to
> > whom this message was originally addressed. Any review, e-transmission
> > dissemination or other use of or taking of any action in reliance upon
> > this information by persons or entities other than the intended
> > recipient is prohibited. If you have received this e-mail in error
> > kindly delete  this e-mail from your records. If it appears that this
> > mail has been forwarded to you without proper authority, please notify
> > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > _____________________________________________________________________
> >
> >
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
> 
> 
> 
> http://www.patni.com
> World-Wide Partnerships. World-Class Solutions.
> _____________________________________________________________________
> 
> This e-mail message may contain proprietary, confidential or legally
> privileged information for the sole use of the person or entity to
> whom this message was originally addressed. Any review, e-transmission
> dissemination or other use of or taking of any action in reliance upon
> this information by persons or entities other than the intended
> recipient is prohibited. If you have received this e-mail in error
> kindly delete  this e-mail from your records. If it appears that this
> mail has been forwarded to you without proper authority, please notify
> us immediately at Netadmin@xxxxxxxxx and delete this mail.
> _____________________________________________________________________
> 
>