Ethereal-dev: RE: [Ethereal-dev] Any chance to get something like "decode as" forDCE-RPC inter
Hi Ulf..
I knocked together a little patch which infers the bind type for
a few CIFS UUIDs, based on the opnum. Have attached a version
for 0.10.6. This approach is a horrible kludge, but it has done
the job for me for a while now. The code at least points the way
to a correct fix, especially now that our resident UI expert
is interested. :-)
[Had toyed with the idea of adding a GUI some months ago, but the
prospect of leaping into a totally unfamiliar area (I don't do UI
in general, and have zero experience with GTK) has kept me hobbling
along with the attached patch.]
Inside the DCERPC code, it keeps a table mapping from a
(conversation,context id) pair to an associated binding.
The code just after the patch's added switch statement in
epan/dissectors/packet-dcerpc.c
is what makes it work. If those key values can be obtained
from whatever context the "Decode As" dialog has available, then
it should be very simple to give the conversation a binding.
The "key" value used to look up the proper binding contains a
conversation identifier (from find_conversation()), and a context ID
which is apparently dissected out of the DCE packet (see the top of
dissect_dcerpc_cn_rqst() in packet-dcerpc.c).
Not sure how hard it would be to extract these values from the
highlighted packet.
Ideally, the "Decode As" dialog could reach in and grab the values
from the partially-dissected DCERPC packet. Afraid I don't know
how to do that though.
I assume you're thinking of adding a new "DCERPC" tab to the
"Decode As" dialog?
regards,
Eric Wedel, Bluearc Engineering
-----Original Message-----
From: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx]On Behalf Of Ulf Lamping
Sent: Wednesday, August 18, 2004 11:04 AM
To: Ethereal-Dev
Subject: [Ethereal-dev] Any chance to get something like "decode as"
forDCE-RPC interfaces?
Hi List!
I have an ongoing problem with DCE-RPC (DCOM) calls.
If I couldn't get the context of a DCE-RPC call (because I've missed the
"bind" or "alter context" packets), Ethereal can't get a match between
the conversation and the corresponding DCE-RPC call dissection.
It would be *very nice* to have the "Decode As" feature for DCE-RPC
interfaces, so the user could select a specific RPC interface for a
specific conversation.
Had a short look into the decode as dialog, but as I'm not really
familiar with the dissection engine, I don't see an easy way to add this
feature.
Anyone interested in implementing such a feature, or at least give an
estimation how much effort it would be to implement it and how?
Regards, ULFL
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
Attachment:
eth0.10.6.patch
Description: eth0.10.6.patch