Tim Potter <tpot@xxxxxxxxx> writes:
> On Thu, Dec 06, 2001 at 03:20:15PM -0500, Todd Sabin wrote:
>
> > > Those dissectors are, from their entries in the list of protocols in the
> > > Netmon GUI for constructing display filters, "generated RPC parsers for
> > > interface XXX"; I assume this means they have something that reads a
> > > DCERPC IDL file and emits a parser.
> >
> > Yes, I'm fairly sure they do, although some of their generated parsers
> > don't seem to be completely correct. I only point that out as an
> > indication that it's a non-trivial task.
>
> There are quite a lot of bugs in netmon if you use it for any length of
> time. I'm also including the fact that it's really hard to decode the
> output as a bug and the fact that most pipes are deliberately not
> decoded (samr, spoolss for example).
>
Those are more like missing features to me. :) Besides, you can write
you own netmon plugins, too. E.g., http://www.webspan.net/~tas/netmon
Of course, ethereal is better that netmon+those at this point.
> > Absolutely. Long term, I plan to do that, unless someone else gets
> > there first, of course. I currently have an IDL parser that can
> > output a bare dissector given a .idl. (By 'bare' I mean putting the
>
> What kind of parser are you using? I have modified one written by
> Andrew Tridgell (in perl using Parse::RecDescent) that is spitting
> out pretty nice code so far. I can do functions, recursive structures,
> unions, pointers and arrays.
>
> I'm still a way from submitting code though.
>
I wrote a traditional lex/yacc parser based on the specs at
http://www.opengroup.org/onlinepubs/9629399/toc.htm. I can parse most
of the stuff in the spec, but generating stubs or code is a ways off.
What kind of code are you spitting out? ethereal dissector? rpc stubs?
> > enhance that, or just modify the one from freedce. I need to grok how
> > freedce does things first, though, and I haven't had the time to
> > devote to it. :(
>
> Getting structures with simple types, pointers and arrays right is
> pretty hairy. Luckily the Samba rpc_parse code is there for
> reference.
>
Honestly, I think you'd do better to refer to the NDR specs inside
http://www.opengroup.org/onlinepubs/9629399/toc.htm. Last time I
looked, the samba parse code had lots of "unknown_N" stuff in it which
is explained by the rules of NDR. If you've never looked at the stuff
on the wire, the NDR explanation might be somewhat bewildering. OTOH,
if you have looked at the stuff on the wire, but not the NDR docs,
you'll find lots of light bulbs going on as you read it and compare
with traces.
Todd
