Wireshark · Ethereal-dev: Re: [Ethereal-dev] DCERPC-LSA

Ethereal-dev: Re: [Ethereal-dev] DCERPC-LSA

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Pia Sahlberg" <piabar@xxxxxxxxxxx>

Date: Tue, 23 Apr 2002 03:58:26 +0000

So the currently missing LSA call dissectors, such as LSALOOKUPNAMES,
which were in the old dissector, will reappear at some point?


Yes, I will implement the ones missing from the original one
to be functionally equivalent as the original ones.

I am not too sure about the other missing ones since the idl file:
lsarpc.idl is very different/incompatible with the muddle generated one
lsa-muddle.idl for the missing calls.

I expect the muddle one being more correct as for what types the packets
contain but can not be sure.

Any captures for "missing" lsa calls would be appreciated since it wouldallow whether it is lsarpc.idl or lsa-muddle.idl that is correct.

Alternatively, I can just ignore lsa-muddle.idl completely and justimplement everything as described in lsarpc.idl? comments?



Different topic:

Guy, the changes you made to the dissection of the NT Security descriptor inpacket-smb.c , well , this structure is NOT described as just a blob inlsa-muddle.idl.lsa-muddle.idl which is a machine generated idl file for the lsa interfaceactually has a complete NDR representation of this very structure.


The NDR representation is byte compatible with what is in packet-smb.c

if one chooses the UNIQUE pointers (which are just NULL or non-NULL) ((wherenon-NULL just means the pointer points to a structure, the pointer value,non-NULL, can be any arbitrary value))

It is perfectly legal for a LSA implementation to choose the pointers whenthey should be non-NULL as being the offset which SMB uses.

According to lsa-muddle.idl these are unique pointers so it would be

perfectly legal as well to choose these pointers when non-NULL to alwayshave the value 0x01, though then it would not be compatilbe with theoriginal NT Security Descriptor dissector in packet-smb.c

I.e. NT Security Descriptor when used from LSA/(and other interfaces aswell) ARE NDR encoded structures.They just happen to have an indentical representation to whatSMB/Transaction use if one chooses the Unique pointer values carefully.


best regards

 ronnie sahlberg



_________________________________________________________________

Join the worlds largest e-mail service with MSN Hotmail.http://www.hotmail.com

Follow-Ups:
- Re: [Ethereal-dev] DCERPC-LSA
  - From: Guy Harris
- Re: [Ethereal-dev] DCERPC-LSA
  - From: Todd Sabin

Prev by Date: Re: [Ethereal-dev] Re: Names for DCE RPC calls - why more than one?
Next by Date: Re: [Ethereal-dev] DCERPC-LSA
Previous by thread: Re: [Ethereal-dev] DCERPC-LSA
Next by thread: Re: [Ethereal-dev] DCERPC-LSA
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$