Wireshark · Ethereal-dev: [Ethereal-dev] [dcerpc] Encrypted stub data

Ethereal-dev: [Ethereal-dev] [dcerpc] Encrypted stub data

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jean-Baptiste Marchand <Jean-Baptiste.Marchand@xxxxxx>

Date: Thu, 8 May 2003 15:22:43 +0200

Hello,

the attached patch replaces the 'Stub data' field in DCE-RPC pdu with
'Encrypted stub data', when the Auth Level is set to Packet Privacy and 
no DCE-RPC subdissector is available.

This is just to remind the user that it won't be possible to recognize
any pattern in the stub data, because it is encrypted. 

Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand@xxxxxx
Hervé Schauer Consultants
http://www.hsc.fr/

Index: packet-dcerpc.c
===================================================================
RCS file: /cvsroot/ethereal/packet-dcerpc.c,v
retrieving revision 1.117
diff -u -r1.117 packet-dcerpc.c
--- packet-dcerpc.c	20 Apr 2003 11:36:13 -0000	1.117
+++ packet-dcerpc.c	8 May 2003 13:10:08 -0000
@@ -1558,9 +1558,16 @@
 	 */
         length = tvb_length_remaining (tvb, offset);
         if (length > 0) {
-            proto_tree_add_text (dcerpc_tree, tvb, offset, length,
-                                 "Stub data (%d byte%s)", length,
-                                 plurality(length, "", "s"));
+            if (auth_info != NULL &&
+                  auth_info->auth_level == DCE_C_AUTHN_LEVEL_PKT_PRIVACY) {
+                proto_tree_add_text(dcerpc_tree, tvb, offset, length,
+                                     "Encrypted stub data (%d byte%s)",
+                                     length, plurality(length, "", "s"));
+            } else {
+                proto_tree_add_text (dcerpc_tree, tvb, offset, length,
+                                      "Stub data (%d byte%s)", length,
+                                      plurality(length, "", "s"));
+            }
         }
         return -1;
     }
@@ -2393,9 +2400,15 @@
     if (!conv) {
         length = tvb_reported_length_remaining (tvb, offset);
         if (length > 0) {
-            proto_tree_add_text (dcerpc_tree, tvb, offset, -1,
-                                 "Stub data (%d byte%s)", length,
-                                 plurality(length, "", "s"));
+            if (auth_info.auth_level == DCE_C_AUTHN_LEVEL_PKT_PRIVACY) {
+                proto_tree_add_text(dcerpc_tree, tvb, offset, length,
+                                     "Encrypted stub data (%d byte%s)",
+                                     length, plurality(length, "", "s"));
+            } else {
+                proto_tree_add_text (dcerpc_tree, tvb, offset, length,
+                                      "Stub data (%d byte%s)", length,
+                                      plurality(length, "", "s"));
+            }
         }
     } else {
         dcerpc_call_value *value;
@@ -2484,11 +2497,17 @@
 	} else {
             length = tvb_reported_length_remaining (tvb, offset);
             if (length > 0) {
-                proto_tree_add_text (dcerpc_tree, tvb, offset, -1,
-                                     "Stub data (%d byte%s)", length,
-                                     plurality(length, "", "s"));
+                if (auth_info.auth_level == DCE_C_AUTHN_LEVEL_PKT_PRIVACY) {
+                    proto_tree_add_text(dcerpc_tree, tvb, offset, length,
+                                          "Encrypted stub data (%d byte%s)",
+                                          length, plurality(length, "", "s"));
+                } else {
+                    proto_tree_add_text (dcerpc_tree, tvb, offset, length,
+                                         "Stub data (%d byte%s)", length,
+                                          plurality(length, "", "s"));
+                }
             }
-	}
+	    }
     }
 
     /* Decrypt the verifier, if present */
@@ -2533,9 +2552,15 @@
         /* no point in creating one here, really */
         length = tvb_reported_length_remaining (tvb, offset);
         if (length > 0) {
-            proto_tree_add_text (dcerpc_tree, tvb, offset, -1,
-                                 "Stub data (%d byte%s)", length,
-                                 plurality(length, "", "s"));
+            if (auth_info.auth_level == DCE_C_AUTHN_LEVEL_PKT_PRIVACY) {
+                proto_tree_add_text(dcerpc_tree, tvb, offset, length,
+                                     "Encrypted stub data (%d byte%s)",
+                                     length, plurality(length, "", "s"));
+            } else {
+                proto_tree_add_text (dcerpc_tree, tvb, offset, length,
+                                      "Stub data (%d byte%s)", length,
+                                      plurality(length, "", "s"));
+            }
         }
     } else {
 
@@ -2594,11 +2619,17 @@
         } else {
             length = tvb_reported_length_remaining (tvb, offset);
             if (length > 0) {
-                proto_tree_add_text (dcerpc_tree, tvb, offset, -1,
-                                     "Stub data (%d byte%s)", length,
-                                     plurality(length, "", "s"));
+                if (auth_info.auth_level == DCE_C_AUTHN_LEVEL_PKT_PRIVACY) {
+                    proto_tree_add_text(dcerpc_tree, tvb, offset, length,
+                                          "Encrypted stub data (%d byte%s)",
+                                          length, plurality(length, "", "s"));
+                } else {
+                    proto_tree_add_text (dcerpc_tree, tvb, offset, length,
+                                         "Stub data (%d byte%s)", length,
+                                          plurality(length, "", "s"));
+                }
             }
-	}
+        }
     }
 
     /* Decrypt the verifier, if present */

Follow-Ups:
- Re: [Ethereal-dev] [dcerpc] Encrypted stub data
  - From: Guy Harris

Prev by Date: [Ethereal-dev] Patch: packet-wtp.c - coorect sub-PDU size reporting
Next by Date: RE: [Ethereal-dev] help with broken-up messages running atop TCP?
Previous by thread: Re: [Ethereal-dev] Patch: packet-wtp.c - coorect sub-PDU size reporting
Next by thread: Re: [Ethereal-dev] [dcerpc] Encrypted stub data
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$