Wireshark-dev: Re: [Wireshark-dev] decoding Remote Desktop Protocol
From: "ronnie sahlberg" <[email protected]>
Date: Mon, 29 Oct 2007 18:26:23 +1100
I have commited an initial and very limited X.224 dissector that
registers TPKT on port 3389 and makes TPKT spawn off this port into
X.224 instead.

The X.224 dissector is very incomplete and only really dissects
CR/CC/DT and only for class 0.
But it is good enough for now as a start to decode up to and including
the X.224 layer for remote desktop.

Please if you feel like it   give T.12x a try and put it ontop of this
dissector.


On 10/25/07, Stephen Fisher <[email protected]> wrote:
> On Wed, Oct 24, 2007 at 11:39:15AM -0500, DePriest, Jason R. wrote:
>
> > Unfortunately, I can't seem to locate any good technical documentation
> > on how RDP does what it does.
> >
> > I considered looking at the linux programs that use it (rdesktop) and
> > trying to read their code, but I don't write code myself so it would
> > be hit or miss.
> >
> > RDP is Microsoft's baby and I don't know where to look for in depth
> > docs on it.
> >
> > Does anyone have a link or two to some helpful stuff that would help
> > me break the code?  Or will I just need to figure it the hard way?
>
> There is little to no public documentation on Remote Desktop.  I wanted
> to implement RDP dissection in Wireshark a while back and gave up (I had
> just finished off the VNC dissector which was a pain even with
> documentation).  Your best bet is to read the source code to rdesktop
> (which is poorly documented if I remember correctly) and the articles
> under the "Documentation" section of www.rdesktop.org.  It is a shame
> they did not document the protocol(s) in a nice fashion while writing
> the code to rdesktop.  I do not mean to discourage you or anyone from
> trying to figure it out as it would be a great feature to have in
> Wireshark.  I would be willing to help if someone could figure out at
> least enough to get started :)
>
>
> Steve
> _______________________________________________
> Wireshark-dev mailing list
> [email protected]
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>