ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 7254] New: Enhancements for FPSpotlightRPC AFP function

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sun, 13 May 2012 00:48:32 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7254

           Summary: Enhancements for FPSpotlightRPC AFP function
           Product: Wireshark
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Minor
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: alexander.lueders@xxxxxx


Created attachment 8424
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8424
patch

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
First of all, compliments to Frank Lahm for the great work on the original
dissection of the FPSpotlightRPC command.

However, i discovered a few things, that i propose a patch for.

corrections:
1) Observing dissections i discovered that the command code for the internal
spotlight command SPOTLIGHT_CMD_GET_VOLPATH is 4 instead of 1 (see attachment).
2) The reply to that command, had a "return code" field, which is in fact the
volume id. I assured that, by programmatically sending test requests to an AFP
server. It's definitely the volume id.
3) In the same reply, there are 4 null bytes, which were initially ignored by
the implementation. I added them as a reserved field.
4) In the spotlight_dissect_query_loop, the count value (indicating the childs
of an array or an dictionary), was falsely decremented by the number of childs
in contained int64/uuid/floats/nulls structures, which led to child elements
being outside of the actual array or dictionary, respecectively.

enhancements:
1) In dissections i discovered a new type: an UTF-16 string. I implemented the
dissection code for it.
2) I figured out, what's behind the 4 unknown bytes in the ToC for string
types. They represent the number of padding bytes, that were used to make the
string length a multiple of 8. I added an descriptive string for that.

Ok, that's it from my side so far. 

Thanks in advance for your feedback
Greets
Alex

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube