Hi,
I think Todd is right. These fields are not NDR encoded so it was already
fine.
Disregard my comment about endianess and using dissect_ndr_xxx().
Update the patch and post it again.
If you want to I can then change it into a subdissector in a separate file
so other protocols can
use it as well.
It is fairly easy if one knows what needs to be done.
---
If you want to try implementing these changes yourself this is what to do in
packet-ntlmssp.c
(perhaps use packet-data.c as a skeleton)
1, Create a new file packet-ntlmssp.c (or any other name if more
appropriate).
2, Update Makefile.am and Makefile.nmake to reflect the new file.
3, In proto_register_ntlmssp()
make sure to create and define the hf_register_info array
and do the calls
proto_register_protocol()
proto_register_field_array()
(and if you use ett's proto_register_subtree_array() )
4, I dont think you will need a proto_reg_handoff_ntlmssp() function at all.
5, in dissect_ntlmssp()
place all the code to dissect the block there.
In packet-dcerpc.c
6, add a global : static dissector_handle_t ntlmssp_handle=NULL;
7, down in proto_reg_handoff_dcerpc()
add the line : ntlmssp_handle=find_dissector("ntlmssp");
When you need to call the ntlmssp dissector from dcerpc:
8, where you find a ntlmssp blob to dissect, first create a new TVB
structure that only spans the
bytes used for the ntlmblob
something like : ntlmssp_tvb=tvb_new_subset(tvb, offset, length,
reported_length);
Length is the length of the ntlmssp blob to dissect. Creating a new tvb
subset it to prevent the subdissector
to go outside its bounds when dissecting the blob.
9, Then just call the ntlmssp dissector through its handle:
call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
I think that should be it.
Then others could use the NTLMSSP dissector as well by just repeating the
small steps 6-9
in their dissector.
SMB comes to mind and could probably use this.
----- Original Message -----
From: "dheitmueller"
Sent: Sunday, July 07, 2002 4:14 AM
Subject: Re: [Ethereal-dev] ntlmssp decoding
>
> Hello Todd,
>
> I will do some digging and see if there is any mention of the endianness
for the fields in question.
>
> You are absolutely correct in that the NTLMSSP code should only be invoked
if the DCE/RPC auth_type is '10'. I will make the appropriate change.
>
> Regarding the creation of a sub-dissector, this is a good idea. However,
I think initially, I will focus on the proper decoding of the fields for the
DCE/RPC packets. Once I have this done, it should not be too difficult for
me to break the code into it's own dissector. Admittedly, a large influence
on this decision is that I have never written a sub-dissector, and will have
to look at some of the other dissectors to see how it is done.
>
> Any recommendations you could make on examples of the 'model dissector'
would be appreciated. Since I will probably copy another dissector when
writing mine, it would be helpful to use one of the better written
dissectors as a starting point.
>
