Wireshark-bugs: [Wireshark-bugs] [Bug 5491] New: Outlook anywhere: ncacn_http support

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sun, 12 Dec 2010 12:53:09 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5491

           Summary: Outlook anywhere: ncacn_http support
           Product: Wireshark
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: j.kerihuel@xxxxxxxxxxxxxx


Created an attachment (id=5605)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5605)
patch for wireshark trunk

Build Information:
wireshark 1.5.0 (SVN Rev 35122 from /trunk)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.22.0, with GLib 2.26.0, with libpcap 1.1.1, with
libz 1.2.3.4, without POSIX capabilities, without libpcre, without SMI, without
c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.8.6, with
Gcrypt 1.4.5, with MIT Kerberos, without GeoIP, without PortAudio, without
AirPcap.

Running on Linux 2.6.35-23-generic, with libpcap version 1.1.1, with libz
1.2.3.4, GnuTLS 2.8.6, Gcrypt 1.4.5.

Built using gcc 4.4.5.

--
Hi Lists,

I've just finished to write a ncacn_http dissector for Wireshark which
provides the ability to dissect Outlook anywhere packets properly (as
specified by [MS-RPCH].pdf documentation.

I have attached to this email all the material needed to test the patch:
        - stunnel.pem: the SSL RSA key to use to decrypt SSL'd capture
        - sample_outlook_anywhere_ssl.pcap: the capture with SSL enabled
        and including RTS + nspi, rfr, mapi packets
        - sample_outlook_anywhere_not_ssl.pcap: the capture performed on
        lo without SSL enabled and filtered to show only RTS packets.

Relevant RTS packets can be displayed using (dcerpc.pkt_type == 20)
filter.

The patch also adds some fuzzy naming on RTS packets given MS-RPCH
specifications. They define these PDU body through the flags, number of
commands fields and command sequences.

FYI, this capture was done between Outlook 2010 and Exchange 2010 using
a local SSL proxy to avoid Diffie-Hellman algorithm usage (default with
Exchange 2010).

In this scenario:
        - 192.168.0.120 is the Outlook 2010 client
        - 192.168.0.103 is the SSL proxy

I have also added to the email the dcerpc.idl patch for Samba4 which
adds the associated IDL for RTS support:
00001-Add-ncacn_http-RTS-IDL-implementation-in-dcerpc.idl.patch

It probably doesn't respect the Samba4 usual naming convention, but I
thought it would be more useful under this form so you can turn fields
to any names you prefer.

Kind Regards,
Julien.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.