https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7254
Summary: Enhancements for FPSpotlightRPC AFP function
Product: Wireshark
Version: SVN
Platform: All
OS/Version: All
Status: NEW
Severity: Minor
Priority: Low
Component: Wireshark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: alexander.lueders@xxxxxx
Created attachment 8424
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8424
patch
Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
First of all, compliments to Frank Lahm for the great work on the original
dissection of the FPSpotlightRPC command.
However, i discovered a few things, that i propose a patch for.
corrections:
1) Observing dissections i discovered that the command code for the internal
spotlight command SPOTLIGHT_CMD_GET_VOLPATH is 4 instead of 1 (see attachment).
2) The reply to that command, had a "return code" field, which is in fact the
volume id. I assured that, by programmatically sending test requests to an AFP
server. It's definitely the volume id.
3) In the same reply, there are 4 null bytes, which were initially ignored by
the implementation. I added them as a reserved field.
4) In the spotlight_dissect_query_loop, the count value (indicating the childs
of an array or an dictionary), was falsely decremented by the number of childs
in contained int64/uuid/floats/nulls structures, which led to child elements
being outside of the actual array or dictionary, respecectively.
enhancements:
1) In dissections i discovered a new type: an UTF-16 string. I implemented the
dissection code for it.
2) I figured out, what's behind the 4 unknown bytes in the ToC for string
types. They represent the number of padding bytes, that were used to make the
string length a multiple of 8. I added an descriptive string for that.
Ok, that's it from my side so far.
Thanks in advance for your feedback
Greets
Alex
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.