Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 9950] New: MDSSVC: New DCE/RPC service dissector for Apple

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 03 Apr 2014 13:35:51 +0000
Bug ID 9950
Summary MDSSVC: New DCE/RPC service dissector for Apple's Spotlight
Classification Unclassified
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Enhancement
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected] 

Created attachment 12675 [details]
Expose Spotlight dissector function

Build Information:
None.
--
Apple's SMB server implementation uses a DCE/RPC service called "mdssrv" for
passing Spotlight search requests between client and server.

The DCE/RPC service functions as a transport for the Spotlight search requests
which is marshalled and encapsulated exactly the same way as in the AFP
protocol.

We can therefor call to the AFP dissector from the DCE/RPC dissector.
Unfortunately, this requires manually editing the pidl generated dissectors.

Apple doesn't publish the IDL file, what I have is reverse engineered from on
the wire packets.

Attached is a series of patches that first modifies the AFP dissector by
exposing the function that dissects the Spotlight blob. Then comes the IDL and
the autogenerated dissector code.

The final patch is the necessary manual edit of the autogenerated code.

Also attached is a small packet capture that includes a simple Spotlight
search. Filter by "dcerpc"  and you'll have a fine view on the DCE/RPC stream.

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube