Ethereal-dev: Re: [Ethereal-dev] SRVSVC

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Ronnie Sahlberg" <sahlberg@xxxxxxxxxxxxxxxx>
Date: Sat, 25 May 2002 18:33:24 +1000
The example I gave you, calling it through
dissect_ndr_pointer(...NDR_POINTER_REF,...)
WILL decode the packet in EXACTLY the same way, byte by byte as the original
version.

Currently, dissect_ndr_pointer() does not create a subtree for top-level REF
pointers.
By changing dissect_ndr_pointer() to also create subtrees for top level REF
pointers you
get also the exact same behaviour with a subtree for the string as in the
original code.

These changes would NOT change anyway how the bytes are dissected. only
clean up the code a bit and
let dissect_ndr_pointer fill in  di->hf_index instead of doing it manually.

Last, it would make the dissector be closer mapped to what the IDL file
specifies.
There is definitely NOT a top level UNICODE_STRING_str in the idl file,
there is
a REF pointer to a UNICODE_STRING_str in the idl file.

I am guilty of taking shortcuts in the other dissectors calling
UNICODE_STRING and friends
directly from _rqst/_reply instead of, more correctly, going through
dissect_ndr_pointer(...REF...).
I appologise and will sometime later fix all my dissectors to do it the
proper way.


I hope the ucarray() issues were cleared after my last email.


----- Original Message -----
From: "Richard Sharpe"
Sent: Saturday, May 25, 2002 2:27 PM
Subject: Re: [Ethereal-dev] SRVSVC


> On Fri, 24 May 2002, Pia Sahlberg wrote:
>
> > Hi,
> > Richard in your patch to srvsvc_dissect_net_share_get_info_rqst
>
> Hmmm, the problem I have with that claim, even though that is what MSDN
> suggests is the case with NetShareGetInfo, is that the referent is only
> 16-bits long in each of the two traces I have. 0x11C9 in one case, and
> some other value in another.
>
> How do you explain that? The trace was of WinNT or Win2K accessing an NT
> or 2K server ...
>
> > the hf_srvsvc_share  is actually a top level REF pointer,
> >
> > you should probably change/*
> > >   * Construct a label for the string ...
> > >   */
> > >  item = proto_tree_add_text(tree, tvb, offset, -1, "Share");
> > >  stree = proto_item_add_subtree(item, ett_srvsvc_share_info);
> > >  di->hf_index = hf_srvsvc_share;
> > >  di->levels = 0;
> > >
> > >  offset = dissect_ndr_nt_UNICODE_STRING_str(tvb, offset, pinfo, stree,
> > >drep);
> >
> >
> > into this instead :
> >
> >
> > >  offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
> > >                               dissect_ndr_nt_UNICODE_STRING_str,
> > >                               NDR_POINTER_REF, "Server",
> > >                               hf_srvsvc_share, -1);
> > >
> >
> >
> > To make the output look nicer, something I have planned to do a long
time
> > would be if you could change dissect_ndr_pointer so it WILL create
> > a tree also for top level ref pointers.
> > Then the -1 above should be changed to 0.
> > This would also need all NDR_POINTER_REF dissect_ndr_pointer calls to be
> > audited to make sure we specify a string (many "" used i belive)
> >
> > It is failry easy to do these changes and the fixes for NDR_POINTER_REF
> > would be fairly mechanical. (there are not that many places to update).
> > If you dont want to do this change yourself I can make it sometime
during
> > the weekend.
> >
> >
> > best regards
> >   ronnie s