On Sat, Nov 04, 2000 at 06:53:32PM -0500, Todd Sabin wrote:
> So, assuming I (or someone) write a dissector that understands MSRPC,
> how does it get called in all of the various places that it might
> need to be?
The same way it gets done for dissectors that understand Sun's ONC RPC.
:-)
I.e., you'd use a heuristic dissector, as Richard mentioned. The ONC
RPC dissector's "handoff registration" routine - see "packet-rpc.c" -
does:
old_heur_dissector_add("tcp", dissect_rpc);
old_heur_dissector_add("udp", dissect_rpc);
which arranges that it be called after the TCP and UDP dissectors check
for:
conversations (flows of packets between given addresses and
ports) with particular dissectors associated with them;
plugins;
dissectors registered for particular port numbers;
heuristic dissectors that registered themselves earlier and that
returned FALSE.
The dissector should return TRUE if the packet is for the protocol the
dissector parses, FALSE otherwise.
For DCE^H^H^HMS RPC over SMB, you'd either have the SMB dissector
directly call the MSRPC dissector, if MSRPC-over-SMB packets can always
be identified by looking at the SMB part of the packet, or have it
create a heuristic dissector table, just as the TCP and UDP dissectors
do, and have the MSRPC dissector register itself in that table, as
above.
If there's also MSRPC over NBT, with no SMB involved, you'd do the same
with the NBT dissector. The same applies to IPX and SPX.
(MSRPC-over-SMB requires only that the SMB dissector handle MSRPC; it's
irrelevant what other transport layer SMB is running.)
