Wireshark-dev: Re: [Wireshark-dev] [PATCH] Outlook anywhere: ncacn_http support
From: "Maynard, Chris" <[email protected]>
Date: Mon, 6 Dec 2010 11:15:22 -0500
Hi Julien,
Please file a Wireshark bug report for this and include all your attachments with all of this information.  This way, the patch won't be forgotten.  It may take awhile before someone has a chance to look at it.
Thanks.
- Chris

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Julien Kerihuel
Sent: Sunday, December 05, 2010 5:22 PM
To: [email protected]; [email protected]
Cc: Development list
Subject: [Wireshark-dev] [PATCH] Outlook anywhere: ncacn_http support

Hi Lists,

I've just finished to write a ncacn_http dissector for Wireshark which provides the ability to dissect Outlook anywhere packets properly (as specified by [MS-RPCH].pdf documentation.

I have attached to this email all the material needed to test the patch:
        - stunnel.pem: the SSL RSA key to use to decrypt SSL'd capture
        - sample_outlook_anywhere_ssl.pcap: the capture with SSL enabled
        and including RTS + nspi, rfr, mapi packets
        - sample_outlook_anywhere_not_ssl.pcap: the capture performed on
        lo without SSL enabled and filtered to show only RTS packets.

Relevant RTS packets can be displayed using (dcerpc.pkt_type == 20) filter.

The patch also adds some fuzzy naming on RTS packets given MS-RPCH specifications. They define these PDU body through the flags, number of commands fields and command sequences.

FYI, this capture was done between Outlook 2010 and Exchange 2010 using a local SSL proxy to avoid Diffie-Hellman algorithm usage (default with Exchange 2010).

In this scenario:
        - 192.168.0.120 is the Outlook 2010 client
        - 192.168.0.103 is the SSL proxy

I have also added to the email the dcerpc.idl patch for Samba4 which adds the associated IDL for RTS support:
00001-Add-ncacn_http-RTS-IDL-implementation-in-dcerpc.idl.patch

It probably doesn't respect the Samba4 usual naming convention, but I thought it would be more useful under this form so you can turn fields to any names you prefer.

Kind Regards,
Julien.

--
Julien Kerihuel
[email protected]
OpenChange Project Manager/Developer/Maintainer

GPG Fingerprint: 0B55 783D A781 6329 108A  B609 7EF6 FE11 A35F 1F79


CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.