Wireshark · Ethereal-dev: Re: [Ethereal-dev] dcerpc and samr patches

Ethereal-dev: Re: [Ethereal-dev] dcerpc and samr patches

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <sahlberg@xxxxxxxxxxxxxxxx>

Date: Mon, 11 Feb 2002 09:46:34 +1100

Thanks a lot for the fixes.

I will look into LookupRids shortly and fix it.
I will also see if similar bugs are present in similar calls as well.
A capture for testing is very apreciated.


----- Original Message ----- 
From: "Todd Sabin" 
Cc: <ethereal-dev@xxxxxxxxxxxx>
Sent: Monday, February 11, 2002 8:36 AM
Subject: [Ethereal-dev] dcerpc and samr patches


> 
> Hi,
> 
> The attached patch fixes a couple things in dcerpc and samr.
> 
> o dissect dcerpc UDP replies correctly.  Currently, it uses the opnum
> from the reply packet.  This is frequently wrong in MS's
> implementation, so the patch fixes it to use the opnum from the
> request.  (I think it used to work this way before the dcerpc
> matching code went in, but I'm not sure.)
> 
> o don't crash if the packet isn't found in the hash tables.  If a
> dcerpc packet is encapsulated in an ICMP redirect, e.g., the dcerpc
> layer won't be called on the first pass over the capture.  If the
> packet is then selected, there will be no entry in the hash tables for
> it, which can cause ethereal to coredump.  The patch dummies up an
> entry based on the packet.
> 
> o dissect SamrLookupDomain requests properly.  The current dissector
> is incorrect.
> 
> 
> Also, the dissector for SamrLookupRids reply is slightly wrong.  I
> don't have a patch for that, but here's why it's getting it wrong:
> The first out parameter is [out] NAMES *pNames, where NAMES is
> 
> typedef struct _NAMES {
>     ULONG Count;
>     [size_is (Count)] UNICODE_STRING *Names;
> } NAMES;
> 
> So, the first thing is a top-level [ref] pointer, which is handed to
> dissect_ndr_pointer.  It knows there is no wire representation for top
> level [ref] pointers, so it tries to dissect the referent.  That
> _should_ dissect Count, and then dissect_ndr_pointer for Names.  But
> it first is checking for conformant data.  There isn't any at this
> level, but it thinks that there is, so everything ends up shifted by
> 4 bytes.  :(  Not sure exactly how to fix that right now...
> 
> Guy and Ronnie, I'm sending captures which illustrate the above in a
> separate mail.  Feel free to share them with others, I just don't want
> to spam the list.  They are a small sniff with an ICMP redirected
> dcerpc call, and a largish sniff showing EPM and SAMR done over
> UDP...
> 
> 
> Todd
> 
>

References:
- [Ethereal-dev] dcerpc and samr patches
  - From: Todd Sabin

Prev by Date: Re: [Ethereal-dev] ARP filter
Next by Date: Re: [Ethereal-dev] dcerpc and samr patches
Previous by thread: [Ethereal-dev] dcerpc and samr patches
Next by thread: Re: [Ethereal-dev] dcerpc and samr patches
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$