Wireshark · Ethereal-dev: [ethereal-dev] Hello and a patch

Ethereal-dev: [ethereal-dev] Hello and a patch

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: James Coe <jammer@xxxxxxx>

Date: Mon, 06 Dec 1999 19:58:29 -0600

Hello,

My name is Jamie Coe. I'm a network security analyst. I found Ethereal
to be such a wonderful tool that I've started writing extensions to it.
I am attaching a patch for the latest source tree to this message. The
patch adds the 0.3 alpha version of my dissector for Service Location
Protocol (SRVLOC) on port 427. It also modifies the NetWare Core
Protocol (NCP) dissector to allow it to decode NCP over IP on port 524.

Happy Sniffing,
Jamie.

? packet-srvloc.c
? ncpip-and-srvloc.patch
Index: packet-ncp.c
===================================================================
RCS file: /cvsroot/ethereal/packet-ncp.c,v
retrieving revision 1.23
diff -u -r1.23 packet-ncp.c
--- packet-ncp.c	1999/11/18 01:45:02	1.23
+++ packet-ncp.c	1999/12/07 02:09:38
@@ -1,6 +1,7 @@
 /* packet-ncp.c
  * Routines for NetWare Core Protocol
  * Gilbert Ramirez <gram@xxxxxxxxxxxxxxxxxxx>
+ * Modified to allow NCP over TCP/IP decodes by James Coe <jammer@xxxxxxx>
  *
  * $Id: packet-ncp.c,v 1.23 1999/11/18 01:45:02 guy Exp $
  *
@@ -44,6 +45,8 @@
 #include "packet-ncp.h"
 
 static int proto_ncp = -1;
+static int hf_ncp_ip_ver = -1;
+static int hf_ncp_ip_sig = -1;
 static int hf_ncp_type = -1;
 static int hf_ncp_seq = -1;
 static int hf_ncp_connection = -1;
@@ -75,6 +78,26 @@
 
 int ncp_packet_init_count = 200;
 
+/* These are the header structures to handle NCP over IP */
+#define	NCPIP_RQST	0x446d6454	// "DmdT"
+#define NCPIP_RPLY	0x744e6350	// "tNcP"
+
+struct ncp_ip_header {
+	guint32	signature;
+	guint32 length;
+};
+
+/* This header only appears on NCP over IP request packets */
+struct ncp_ip_rqhdr {
+	guint32 version;
+	guint32 rplybufsize;
+};
+
+static const value_string ncp_ip_signature[] = {
+	{ NCPIP_RQST, "Demand Transport (Request)" },
+	{ NCPIP_RPLY, "Transport is NCP (Reply)" },
+};
+
 /* The information in this module comes from:
 	NetWare LAN Analysis, Second Edition
 	Laura A. Chappell and Dan E. Hakes
@@ -435,8 +458,21 @@
 	proto_tree	*ncp_tree = NULL;
 	proto_item	*ti;
 	int		ncp_hdr_length = 0;
+	struct ncp_ip_header		ncpiph;
+	struct ncp_ip_rqhdr		ncpiphrq;
 	struct ncp_common_header	header;
 
+	if ( pi.ptype == PT_TCP || pi.ptype == PT_UDP ) {
+		memcpy(&ncpiph, &pd[offset], sizeof(ncpiph));
+		ncpiph.signature = ntohl(ncpiph.signature);
+		ncpiph.length = ntohl(ncpiph.length);
+		offset += 8;
+		if ( ncpiph.signature == NCPIP_RQST ) {
+			memcpy(&ncpiphrq, &pd[offset], sizeof(ncpiphrq));
+			ncpiphrq.rplybufsize = ntohl(ncpiphrq.rplybufsize);
+			offset += 8;
+		};
+	};
 	memcpy(&header, &pd[offset], sizeof(header));
 	header.type = ntohs(header.type);
 
@@ -461,6 +497,14 @@
 		ti = proto_tree_add_item(tree, proto_ncp, offset, END_OF_FRAME, NULL);
 		ncp_tree = proto_item_add_subtree(ti, ett_ncp);
 
+		if ( pi.ptype == PT_TCP || pi.ptype == PT_UDP ) {
+			proto_tree_add_item(ncp_tree, hf_ncp_ip_sig, offset - 16, 4, ncpiph.signature);
+			proto_tree_add_text(ncp_tree, offset - 12, 4, "Length: %d", ncpiph.length);
+			if ( ncpiph.signature == NCPIP_RQST ) {
+				proto_tree_add_item(ncp_tree, hf_ncp_ip_ver, offset - 8, 4, ncpiphrq.version);
+				proto_tree_add_text(ncp_tree, offset - 4, 4, "Reply buffer size: %d", ncpiphrq.rplybufsize);
+			};
+		};
 		proto_tree_add_item_format(ncp_tree, hf_ncp_type, 
 					   offset,      2,
 					   header.type,
@@ -865,6 +909,14 @@
 {
 
   static hf_register_info hf[] = {
+    { &hf_ncp_ip_sig,
+      { "NCP over IP signature",		"ncp.ip.signature",
+        FT_UINT32, BASE_HEX, VALS(ncp_ip_signature), 0x0,
+        "NCP over IP transport signature"}},
+    { &hf_ncp_ip_ver,
+      { "Version",		"ncp.ip.version",
+        FT_UINT32, BASE_DEC, NULL, 0x0,
+        "NCP over IP verion"}},
     { &hf_ncp_type,
       { "Type",			"ncp.type",
 	FT_UINT16, BASE_HEX, NULL, 0x0,
Index: packet-tcp.c
===================================================================
RCS file: /cvsroot/ethereal/packet-tcp.c,v
retrieving revision 1.50
diff -u -r1.50 packet-tcp.c
--- packet-tcp.c	1999/12/06 23:57:51	1.50
+++ packet-tcp.c	1999/12/07 02:09:44
@@ -97,7 +97,9 @@
 #define TCP_PORT_NBSS     139
 #define TCP_PORT_IMAP     143
 #define TCP_PORT_BGP      179
+#define TCP_PORT_SRVLOC   427
 #define TCP_PORT_PRINTER  515
+#define TCP_PORT_NCP      524
 #define TCP_ALT_PORT_HTTP 8080
 #define TCP_PORT_PPTP     1723
 #define TCP_PORT_RTSP     554
@@ -537,6 +539,12 @@
     } else if (PORT_IS(TCP_PORT_IRC)) {
       pi.match_port = TCP_PORT_IRC;
       dissect_irc(pd, offset, fd, tree);
+    } else if (PORT_IS(TCP_PORT_SRVLOC)) {
+      pi.match_port = TCP_PORT_SRVLOC;
+      dissect_srvloc(pd, offset, fd, tree);
+    } else if (PORT_IS(TCP_PORT_NCP)) {
+      pi.match_port = TCP_PORT_NCP;
+      dissect_ncp(pd, offset, fd, tree);
     } else {
         /* check existence of high level protocols */
 
Index: packet-udp.c
===================================================================
RCS file: /cvsroot/ethereal/packet-udp.c,v
retrieving revision 1.40
diff -u -r1.40 packet-udp.c
--- packet-udp.c	1999/12/05 02:32:39	1.40
+++ packet-udp.c	1999/12/07 02:09:46
@@ -73,10 +73,12 @@
 #define UDP_PORT_NBNS	137
 #define UDP_PORT_NBDGM	138
 #define UDP_PORT_SNMP   161
+#define UDP_PORT_SRVLOC 427
 #define UDP_PORT_PIM_RP_DISC 496
 #define UDP_PORT_ISAKMP	500
 #define UDP_PORT_RIP    520
 #define UDP_PORT_RIPNG  521
+#define UDP_PORT_NCP    524
 #define UDP_PORT_VINES	573
 #define UDP_PORT_RADIUS 1645
 #define UDP_PORT_RADIUS_NEW 1812
@@ -243,6 +245,8 @@
       dissect_bootp(pd, offset, fd, tree);
   else if (PORT_IS(UDP_PORT_DNS))
       dissect_dns(pd, offset, fd, tree);
+  else if (PORT_IS(UDP_PORT_SRVLOC))
+      dissect_srvloc(pd, offset, fd, tree);
   else if (PORT_IS(UDP_PORT_ISAKMP))
       dissect_isakmp(pd, offset, fd, tree);
   else if (PORT_IS(UDP_PORT_RIP)) {
@@ -250,6 +254,8 @@
       dissect_rip(pd, offset, fd, tree);
   } else if (PORT_IS(UDP_PORT_RIPNG))
       dissect_ripng(pd, offset, fd, tree);
+  else if (PORT_IS(UDP_PORT_NCP))
+      dissect_ncp(pd, offset, fd, tree);
   else if (PORT_IS(UDP_PORT_NBNS))
       dissect_nbns(pd, offset, fd, tree);
   else if (PORT_IS(UDP_PORT_NBDGM))
Index: packet.h
===================================================================
RCS file: /cvsroot/ethereal/packet.h,v
retrieving revision 1.157
diff -u -r1.157 packet.h
--- packet.h	1999/12/06 23:57:51	1.157
+++ packet.h	1999/12/07 02:09:47
@@ -408,6 +408,7 @@
 void dissect_payload_ppp(const u_char *, int, frame_data *, proto_tree *);
 void dissect_x25(const u_char *, int, frame_data *, proto_tree *);
 void dissect_yhoo(const u_char *, int, frame_data *, proto_tree *);
+void dissect_srvloc(const u_char *, int, frame_data *, proto_tree *);
 
 void dissect_smb(const u_char *, int, frame_data *, proto_tree *, int);
 void dissect_pptp(const u_char *, int, frame_data *, proto_tree *);

Follow-Ups:
- Re: [ethereal-dev] Hello and a patch
  - From: Guy Harris

Prev by Date: [ethereal-dev] idea for style change of byte view highlighting and sample patch
Next by Date: Re: [ethereal-dev] Hello and a patch
Previous by thread: [ethereal-dev] idea for style change of byte view highlighting and sample patch
Next by thread: Re: [ethereal-dev] Hello and a patch
Index(es):
- Date
- Thread