Wireshark-bugs: [Wireshark-bugs] [Bug 9950] New: MDSSVC: New DCE/RPC service dissector for Apple
Date: Thu, 03 Apr 2014 13:35:51 +0000
Bug ID 9950
Summary MDSSVC: New DCE/RPC service dissector for Apple's Spotlight
Classification Unclassified
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Enhancement
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 12675 [details]
Expose Spotlight dissector function

Build Information:
None.
--
Apple's SMB server implementation uses a DCE/RPC service called "mdssrv" for
passing Spotlight search requests between client and server.

The DCE/RPC service functions as a transport for the Spotlight search requests
which is marshalled and encapsulated exactly the same way as in the AFP
protocol.

We can therefor call to the AFP dissector from the DCE/RPC dissector.
Unfortunately, this requires manually editing the pidl generated dissectors.

Apple doesn't publish the IDL file, what I have is reverse engineered from on
the wire packets.

Attached is a series of patches that first modifies the AFP dissector by
exposing the function that dissects the Spotlight blob. Then comes the IDL and
the autogenerated dissector code.

The final patch is the necessary manual edit of the autogenerated code.

Also attached is a small packet capture that includes a simple Spotlight
search. Filter by "dcerpc"  and you'll have a fine view on the DCE/RPC stream.


You are receiving this mail because:
  • You are watching all bug changes.