Wireshark · Ethereal-dev: Re: [Ethereal-dev] some dcerpc and nbss updates

Ethereal-dev: Re: [Ethereal-dev] some dcerpc and nbss updates

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Fri, 28 Sep 2001 15:50:35 -0700 (PDT)

> The attached diff contains code to do two things.
> 
> 1.  dissect the auth info in connection oriented dcerpc packets.

Checked in.

> 2.  modifies packet-nbns.c to use pass off netbios session packets to
> heuristic dissectors, and packet-dcerpc.c registers itself there.

I've checked in a variant of that.  Instead of just modifying the NBSS
dissector, I've created a new "dissect_netbios_payload()" routine,
called by the NetBIOS-over-802.2 (NetBEUI or NBF), NetBIOS-over-IPX, and
NetBIOS-over-TCP datagram and session service dissectors.

That routine has the heuristic dissector calls, as well as the SMB
dissector call.  I've also made the SMB dissector heuristic (although
it's still a special dissector; once it's tvbuffified, it can become a
normal heuristic dissector), so that it doesn't dissect anything that
doesn't being with 0xFF S M B.

> Note that for this to work, I've had to comment out the #define RJSHACK,

I left that in, but removed the check for 0xFF S M B; it still checks
for valid NBSS packet types.

> because it's just, well, wrong.  I think the correct solution is to
> make the SMB dissector a heuristic dissector as well, and then if no
> dissector claims a nbns packet, do the stuff in the RJSHACK code.

Unfortunately, it's a bit more complicated - "dissect_nbss()" dissects
*multiple* NBSS packets within the data it's handed, and it doesn't call
"dissect_netbios_payload()" until after it's dissected the NBSS header
and put it into the protocol tree.

In order to do that, we'd have to split heuristic dissectors into a
heuristic routine and a dissector routine - the first of them would
check the packet data and return TRUE or FALSE, but would not put
anything into the protocol tree, and the second of them would dissect
without doing any checks or returning any matched/not matched value.

Then "dissect_nbss_packet()" would have to call the heuristic routines
*before* putting anything into the protocol tree; presumably the routine
to call the heuristic routines could return either a pointer to the
right dissector routine or NULL.

References:
- [Ethereal-dev] some dcerpc and nbss updates
  - From: Todd Sabin

Prev by Date: Re: [Ethereal-dev] Cont: Patch: Addition of push-traffic to WSP.
Next by Date: [Ethereal-dev] DCERPC Data Representation field
Previous by thread: Re: [Ethereal-dev] some dcerpc and nbss updates
Next by thread: [Ethereal-dev] patch for packet-ip.c
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$