----- Original Message -----
From: "Richard Sharpe"
Sent: Tuesday, March 18, 2003 4:13 AM
Subject: [Ethereal-dev] Examples of searching on DCERPC strings and others
...
> Hi,
>
> Can someone provide examples of searching on DCERPC strings etc.
>
For example lsa.domain=="FOO" should work ?
I assume your question may be related to the change i checked in yesterday
allowing again to put FT_STRING entries in the tree pane.
If it is useful to be able to filter for DCERPC strings is unknown,
however, by putting these strings in the tree pane using a proper hf_field
has one nice sideeffect.
Everything that has a hf_field can be used to populate the edt structure.
A hf_field of type FT_STRING can populate edt with a string entry.
This sideeffect is useful since it makes it reasonably uncomplicated to pick
this value up from the edt tree.
Consider for example LSA_QueryInfoPolicy, the reply for that rpc
contains a POLICY_INFORMATION structure.
Consider information level 5 of that union.
It contains an Account name (FT_STRING) as well as a SID (also by
coinsidence a FT_STRING since yesterday).
In theory, these two strings could be placed in a hash table indexable by
SID string value.
If such an hash table is built by ethereal there would be some very useful
new features that could
easily be added by adding a few lines to the function :
packet-smb.c/dissect_nt_sid()
Of course this hypothetical feature would only be available after enabling
something like
Edit/Preferences/Protocols/SMB/Snoop SID Names
for those that want ethereal to run a bit slower than it does currently.
