Wireshark-bugs: [Wireshark-bugs] [Bug 5491] New: Outlook anywhere: ncacn_http support
Date: Sun, 12 Dec 2010 12:53:09 -0800 (PST)

           Summary: Outlook anywhere: ncacn_http support
           Product: Wireshark
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Low
         Component: Wireshark
        AssignedTo: [email protected]
        ReportedBy: [email protected]

Created an attachment (id=5605)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5605)
patch for wireshark trunk

Build Information:
wireshark 1.5.0 (SVN Rev 35122 from /trunk)

Copyright 1998-2010 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO

Compiled (64-bit) with GTK+ 2.22.0, with GLib 2.26.0, with libpcap 1.1.1, with
libz, without POSIX capabilities, without libpcre, without SMI, without
c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.8.6, with
Gcrypt 1.4.5, with MIT Kerberos, without GeoIP, without PortAudio, without

Running on Linux 2.6.35-23-generic, with libpcap version 1.1.1, with libz, GnuTLS 2.8.6, Gcrypt 1.4.5.

Built using gcc 4.4.5.

Hi Lists,

I've just finished to write a ncacn_http dissector for Wireshark which
provides the ability to dissect Outlook anywhere packets properly (as
specified by [MS-RPCH].pdf documentation.

I have attached to this email all the material needed to test the patch:
        - stunnel.pem: the SSL RSA key to use to decrypt SSL'd capture
        - sample_outlook_anywhere_ssl.pcap: the capture with SSL enabled
        and including RTS + nspi, rfr, mapi packets
        - sample_outlook_anywhere_not_ssl.pcap: the capture performed on
        lo without SSL enabled and filtered to show only RTS packets.

Relevant RTS packets can be displayed using (dcerpc.pkt_type == 20)

The patch also adds some fuzzy naming on RTS packets given MS-RPCH
specifications. They define these PDU body through the flags, number of
commands fields and command sequences.

FYI, this capture was done between Outlook 2010 and Exchange 2010 using
a local SSL proxy to avoid Diffie-Hellman algorithm usage (default with
Exchange 2010).

In this scenario:
        - is the Outlook 2010 client
        - is the SSL proxy

I have also added to the email the dcerpc.idl patch for Samba4 which
adds the associated IDL for RTS support:

It probably doesn't respect the Samba4 usual naming convention, but I
thought it would be more useful under this form so you can turn fields
to any names you prefer.

Kind Regards,

Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.