ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 7254] Enhancements for FPSpotlightRPC AFP function

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 14 May 2012 13:21:50 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7254

--- Comment #5 from Frank Lahm <franklahm@xxxxxxxxxxxxxx> 2012-05-14 13:21:50 PDT ---
(In reply to comment #0)
> First of all, compliments to Frank Lahm for the great work on the original
> dissection of the FPSpotlightRPC command.

Thanks! ;)

> However, i discovered a few things, that i propose a patch for.

Execellent!

> corrections:
> 1) Observing dissections i discovered that the command code for the internal
> spotlight command SPOTLIGHT_CMD_GET_VOLPATH is 4 instead of 1 (see attachment).
> 2) The reply to that command, had a "return code" field, which is in fact the
> volume id. I assured that, by programmatically sending test requests to an AFP
> server. It's definitely the volume id.
> 3) In the same reply, there are 4 null bytes, which were initially ignored by
> the implementation. I added them as a reserved field.
> 4) In the spotlight_dissect_query_loop, the count value (indicating the childs
> of an array or an dictionary), was falsely decremented by the number of childs
> in contained int64/uuid/floats/nulls structures, which led to child elements
> being outside of the actual array or dictionary, respecectively.

I was addressing this one in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7256. In order to et both
these changes integrated I think we can just drop 7256 and adjust your patch if
necessary, I haven't taken a closer look yet.

> enhancements:
> 1) In dissections i discovered a new type: an UTF-16 string. I implemented the
> dissection code for it.

Great!

> 2) I figured out, what's behind the 4 unknown bytes in the ToC for string
> types. They represent the number of padding bytes, that were used to make the
> string length a multiple of 8. I added an descriptive string for that.

Nice.

> Ok, that's it from my side so far. 

Now that we've dissected most of it, it's time to implement it! :)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube