Wireshark · Ethereal-dev: [Ethereal-dev] Patch for dissecting HTTP over RPC

[Yaniv Kaul <ykaul@xxxxxxxxxxxx>]

Patches for packet-http.c, packet-dcerpc.c, packet-dcerpc-epm.c that add 
dissection of RPC over HTTP.
In addition, the HTTP patch changes the 'Continuation' information to be 
'Continuation or non HTTP traffic' , which sometimes is the case...

Index: packet-dcerpc.c
===================================================================
--- packet-dcerpc.c	(revision 12680)
+++ packet-dcerpc.c	(working copy)
@@ -4874,5 +4874,6 @@
     heur_dissector_add ("netbios", dissect_dcerpc_cn_pk, proto_dcerpc);
     heur_dissector_add ("udp", dissect_dcerpc_dg, proto_dcerpc);
     heur_dissector_add ("smb_transact", dissect_dcerpc_cn_smbpipe, proto_dcerpc);
+	heur_dissector_add ("http", dissect_dcerpc_cn_bs, proto_dcerpc);
     dcerpc_smb_init(proto_dcerpc);
 }

Index: packet-http.c
===================================================================
--- packet-http.c	(revision 12680)
+++ packet-http.c	(working copy)
@@ -347,7 +347,7 @@
 			col_add_str(pinfo->cinfo, COL_INFO,
 			    format_text(line, first_linelen));
 		else
-			col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
+			col_set_str(pinfo->cinfo, COL_INFO, "Continuation or non HTTP traffic");
 	}
 
 	orig_offset = offset;
@@ -1239,6 +1239,9 @@
 			} else if (strncmp(data, "UNSUBSCRIBE", index) == 0) {
 				*type = HTTP_NOTIFICATION;
 				isHttpRequestOrReply = TRUE;
+			} else if (strncmp(data, "RPC_CONNECT", index) == 0) {
+				*type = HTTP_REQUEST;
+				isHttpRequestOrReply = TRUE;
 			}
 			break;
 

Index: packet-dcerpc-epm.c
===================================================================
--- packet-dcerpc-epm.c	(revision 12680)
+++ packet-dcerpc-epm.c	(working copy)
@@ -67,7 +67,7 @@
 static int hf_epm_proto_ip = -1;
 static int hf_epm_proto_udp_port = -1;
 static int hf_epm_proto_tcp_port = -1;
-
+static int hf_epm_proto_http_port = -1;
 static gint ett_epm = -1;
 static gint ett_epm_tower_floor = -1;
 static gint ett_epm_entry = -1;
@@ -273,7 +273,7 @@
 #define PROTO_ID_UNIX_DOMAIN	0x20
 #define PROTO_ID_NULL		0x21
 #define PROTO_ID_NETBIOS_3	0x22
-
+#define PROTO_ID_HTTP 0x1f
 static const value_string proto_id_vals[] = {
 	{ PROTO_ID_OSI_OID,		"OSI OID"},
 	{ PROTO_ID_DNA_SESSCTL,		"DNA Session Control"},
@@ -303,6 +303,7 @@
 	{ PROTO_ID_UNIX_DOMAIN,		"Unix Domain Socket"},
 	{ PROTO_ID_NULL,		"null"},
 	{ PROTO_ID_NETBIOS_3,		"NetBIOS"},
+	{PROTO_ID_HTTP, 		"RPC over HTTP"},
 	{ 0, NULL},
 };
 
@@ -415,7 +416,11 @@
             proto_tree_add_item(tr, hf_epm_proto_netbios_name, tvb, offset, len, TRUE);
             proto_item_append_text(tr, "NetBIOS:%*s",MIN(len,tvb_length_remaining(tvb, offset)), tvb_get_ptr(tvb, offset, -1)); 
             break;
-
+		case PROTO_ID_HTTP: /* RPC over HTTP */
+            proto_tree_add_item(tr, hf_epm_proto_http_port, tvb, offset, 2, FALSE);
+            proto_item_append_text(tr, "RPC over HTTP Port:%d", tvb_get_ntohs(tvb, offset));
+            break;
+			
         default:
             if(len){
                 proto_tree_add_text(tr, tvb, offset, len, "not decoded yet");
@@ -707,6 +712,8 @@
           { "UDP Port", "epm.proto.udp_port", FT_UINT16, BASE_DEC, NULL, 0x0, "UDP Port where this service can be found", HFILL }},
         { &hf_epm_proto_tcp_port,
           { "TCP Port", "epm.proto.tcp_port", FT_UINT16, BASE_DEC, NULL, 0x0, "TCP Port where this service can be found", HFILL }},
+		{ &hf_epm_proto_http_port,
+		  { "TCP Port", "epm.proto.http_port", FT_UINT16, BASE_DEC, NULL, 0x0, "TCP Port where this service can be found", HFILL }},      
         { &hf_epm_tower_rhs_len,
           { "RHS Length", "epm.tower.rhs.len", FT_UINT16, BASE_DEC, NULL, 0x0, "Length of RHS data", HFILL }},
         { &hf_epm_tower_lhs_len,