Wireshark · Ethereal-dev: RE: [Ethereal-dev] kadmin dissector

Ethereal-dev: RE: [Ethereal-dev] kadmin dissector

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Fri, 2 May 2003 12:14:27 -0400

> On Fri, Apr 25, 2003 at 05:34:30PM -0400, Schene_Tony@xxxxxxx wrote:
> > > What authentication flavor is that?
> > 
> > AUTH_GSSAPI = 300001.
> 
> How difficult would it be to add support for AUTH_GSSAPI to
> packet-rpc.c?
> 
> And does Ethereal at least show the authentication stuff as an opaque
> blob if AUTH_GSSAPI is being used?

Here is a patch which contains support for AUTH_GSSAPI.  It is pretty
straightforward with one notable exception that requires some explanation.
Like RPCSEC_GSS, AUTH_GSSAPI defines "authentication level" messages which
don't carry any data for the RPC program procedures themselves, but are used
only by the authentication mechanism for establishing and managing security
contexts.  RPCSEC_GSS uses a NULL procedure for these types of messages and
embeds the authentication procedure number within the cred.  But AUTH_GSSAPI
uses the RPC procedure number itself to indicate which auth procedure to
use.  This makes it very misleading to display the name of the RPC program
procedure corresponding to the procedure number in the column info field and
in the RPC tree since the number has nothing to do with the program.  For
the same reason, it is also misleading to display the RPC program name in
the protocol colunm.  So to avoid as much confusion as possible, when an
AUTH_GSSAPI authentication message is sent, I display the AUTH_GSSAPI auth
procedure name in the info column and the RPC tree, and "RPC" in the
protocol column.  I also do not display the program-specific subtree in this
case.  I admit that this is an awkward solution, but it's the least wrong
one that I can think of.

I've also included a short capture file which contains several AUTH_GSSAPI
RPCs so you can see what all of this looks like.  If whoever checks this in
believes that there is a better way of displaying this data, please feel
free to change it.  I am not at all an expert on AUTH_GSSAPI.  The
information for this dissector came mainly from perusing the Kerberos 1.2.7
source code, and also from a paper in the MIT distribution titled, "GSS-API
Extensions to Sun RPC" by Barry Jaspan.

I also fixed what appears to be an "off by 4" bug on line 2122 of
packet-rpc.c, version 1.121 (line 2274 of the patched file).

	-Tony

Prev by Date: [Ethereal-dev] Real-time taps...
Next by Date: RE: [Ethereal-dev] kadmin dissector (resend)
Previous by thread: [Ethereal-dev] Real-time taps...
Next by thread: RE: [Ethereal-dev] kadmin dissector (resend)
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$