Wireshark · Ethereal-dev: Re: [Ethereal-dev] MAPI

Ethereal-dev: Re: [Ethereal-dev] MAPI

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <sahlberg@xxxxxxxxxxxxxxxx>

Date: Fri, 24 May 2002 18:57:59 +1000

Hi,

I might do a serious/in-depth attempt at MAPI depending on what feedback i
get.
I there is no interest in it, well, i might find something more interesting
to do instead.
In order to do this it would certainly be nice to get some assistance, for
example
example captures from others. And something which would be very nice would
be if someone
has a copy of the muddle tool from the defunct freedce project. I have tried
to locate muddle but
failed. Muddle generated output for the MAPI interface would be VERY useful.

I am fairly certain that opnum12 contains a cleartext union and I think
looks fairly easy/possible
to reconstruct the types in it.  If it is a union I think case 2: would look
something like :
case 2: [out, unique] *type_2

where type_2 is something like

  type_2 {
    long length;
    [size_is(length)]  type_3    /*NOT A POINTER !!!*/
 }

I will need to add support to reassemble DCERPC fragments to do this. I have
examples of MAPI PDUs fragmented into several DCERPC fragments to look at.

Other captures with opnum 12 would be welcome, especially if the first 2
bytes are NOT 0x0002

Opnum 2, seems to where most of the traffic/operastions between the client
abnd the exchange server is made. This function consists of one large
unidimensional varying and conformant array of bytes.
Bytes that are encrypted in some way.
The encryption seems not to be too sophisticated since there is very little
randomness in the data,
0xa5 occurs farily often. I will try some stuff like xoring this all with
0xa5, subtracting 0xa5 etc etc
until I either give up or end up with something that looks like it could be
NDR encoded data.
unique poitners and conformant [and variable] arrays are pretty easy to
spot, so hopefully there are lots of
such entities in teh captures.

Do you want to work with me in reversing the MAPI interface?

(Do you by any chance have an IDL file for the NPSI interface you checked
in? Want to have it implemented?
send it to me and it will happen)

----- Original Message -----
From: "Todd Sabin" Sent: Friday, May 24, 2002 8:52 AM
Subject: Re: [Ethereal-dev] MAPI

> Guy Harris wrote:
>
> > On Fri, May 24, 2002 at 07:48:04AM +1000, Ronnie Sahlberg wrote:
> > > I checked in an initial DCERPC MAPI stub dissector.
>
> Cool.  Are you planning to look at MAPI in depth?

References:
- [Ethereal-dev] MAPI
  - From: Ronnie Sahlberg
- Re: [Ethereal-dev] MAPI
  - From: Guy Harris
- Re: [Ethereal-dev] MAPI
  - From: Todd Sabin

Prev by Date: Re: [Ethereal-dev] [PATCH] packet-radius.c
Next by Date: Re: [Ethereal-dev] MAPI
Previous by thread: Re: [Ethereal-dev] MAPI
Next by thread: Re: [Ethereal-dev] MAPI
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$