On Tue, May 14, 2002 at 08:47:58PM -0700, Guy Harris wrote:
> On Wed, May 15, 2002 at 01:16:11PM +1000, Tim Potter wrote:
> > This hidden field business got me thinking. I've made a small change to
> > the dcerpc init routines which allows you to filter by string names for
> > dcerpc subcommands.
> >
> > I've changed dcerpc_init_uuid() to take an extra value - a hf field
> > which corresponds to the opnum for the subdissector with a value_string
> > array associated with it. The dcerpc_try_handoff() routine inserts a
[...]
> I'd thought about the same thing a while ago; I forget whether I
> mentioned it to ethereal-dev or not. (I *did* mention it in the comment
> on line 1028 or so in "packet-dcerpc.c". :-))
>
> I think it's the right thing to do.
>
> However, you might, instead, want to *replace* the call *after* the
> comment I mentioned with a call to add the subdissector's field as a
> *non*-hidden field (and get rid of "hf_dcerpc_op"). That would let you
> do a "Match Selected" on that entry in the protocol tree.
I've found a bit of spare time and implemented this. There is an extra field
in the dcerpc_uuid_value structure which holds a hf value. This is
initialised by the protocol dissector that registers the DCERPC
subprotocol. If this value is not -1, it is inserted into the proto
tree!
So you can now do things like filter on 'spoolss.opnum == openprinterex'
to catch all open printer requests and replies.
I'm in the process of updating all the dcerpc dissectors for this and if
there aren't any objections I'd like to check it in later on today.
Tim.
