ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: RE: [Ethereal-dev] Any chance to get something like "decode as" forDCE-RPC inter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Eric Wedel" <ewedel@xxxxxxxxxxx>
Date: Wed, 18 Aug 2004 19:29:09 -0700
Hi Ulf..

I knocked together a little patch which infers the bind type for
a few CIFS UUIDs, based on the opnum.  Have attached a version
for 0.10.6.  This approach is a horrible kludge, but it has done
the job for me for a while now.  The code at least points the way
to a correct fix, especially now that our resident UI expert
is interested.  :-)

[Had toyed with the idea of adding a GUI some months ago, but the
prospect of leaping into a totally unfamiliar area (I don't do UI
in general, and have zero experience with GTK) has kept me hobbling
along with the attached patch.]

Inside the DCERPC code, it keeps a table mapping from a
(conversation,context id) pair to an associated binding.

The code just after the patch's added switch statement in
  epan/dissectors/packet-dcerpc.c
is what makes it work.  If those key values can be obtained
from whatever context the "Decode As" dialog has available, then
it should be very simple to give the conversation a binding.

The "key" value used to look up the proper binding contains a
conversation identifier (from find_conversation()), and a context ID
which is apparently dissected out of the DCE packet (see the top of
dissect_dcerpc_cn_rqst() in packet-dcerpc.c).

Not sure how hard it would be to extract these values from the
highlighted packet.

Ideally, the "Decode As" dialog could reach in and grab the values
from the partially-dissected DCERPC packet.  Afraid I don't know
how to do that though.

I assume you're thinking of adding a new "DCERPC" tab to the
"Decode As" dialog?

regards,
Eric Wedel, Bluearc Engineering


-----Original Message-----
From: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx]On Behalf Of Ulf Lamping
Sent: Wednesday, August 18, 2004 11:04 AM
To: Ethereal-Dev
Subject: [Ethereal-dev] Any chance to get something like "decode as"
forDCE-RPC interfaces?


Hi List!

I have an ongoing problem with DCE-RPC (DCOM) calls.

If I couldn't get the context of a DCE-RPC call (because I've missed the 
"bind" or "alter context" packets), Ethereal can't get a match between 
the conversation and the corresponding DCE-RPC call dissection.

It would be *very nice* to have the "Decode As" feature for DCE-RPC 
interfaces, so the user could select a specific RPC interface for a 
specific conversation.

Had a short look into the decode as dialog, but as I'm not really 
familiar with the dissection engine, I don't see an easy way to add this 
feature.

Anyone interested in implementing such a feature, or at least give an 
estimation how much effort it would be to implement it and how?

Regards, ULFL

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

Attachment: eth0.10.6.patch
Description: eth0.10.6.patch

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube