| blob | 4ebe29addd48c0ee63ccf109e365c6c41fd70c1b |
1 /* packet-dcerpc.c
2 * Routines for DCERPC packet disassembly
3 * Copyright 2001, Todd Sabin <tas[AT]webspan.net>
4 * Copyright 2003, Tim Potter <tpot[AT]samba.org>
5 * Copyright 2010, Julien Kerihuel <j.kerihuel[AT]openchange.org>
6 *
7 * $Id$
8 *
9 * Wireshark - Network traffic analyzer
10 * By Gerald Combs <gerald@wireshark.org>
11 * Copyright 1998 Gerald Combs
12 *
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 */
28 /* The DCE RPC specification can be found at:
29 * http://www.opengroup.org/dce/
30 */
34 #include <string.h>
36 #include <glib.h>
38 #include <epan/packet.h>
39 #include <epan/exceptions.h>
40 #include <epan/conversation.h>
41 #include <epan/prefs.h>
42 #include <epan/reassemble.h>
43 #include <epan/tap.h>
44 #include <epan/wmem/wmem.h>
45 #include <epan/expert.h>
46 #include <epan/strutil.h>
47 #include <epan/addr_resolv.h>
48 #include <epan/show_exception.h>
49 #include <epan/dissectors/packet-dcerpc.h>
50 #include <epan/dissectors/packet-dcerpc-nt.h>
54 /* 32bit Network Data Representation, see DCE/RPC Appendix I */
58 /* 64bit Network Data Representation, introduced in Windows Server 2008 */
62 /* Bind Time Feature Negotiation, see [MS-RPCE] 3.3.1.5.3 */
63 static e_uuid_t uuid_bind_time_feature_nego_00 = { 0x6cb71c2c, 0x9812, 0x4540, { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } };
64 static e_uuid_t uuid_bind_time_feature_nego_01 = { 0x6cb71c2c, 0x9812, 0x4540, { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } };
65 static e_uuid_t uuid_bind_time_feature_nego_02 = { 0x6cb71c2c, 0x9812, 0x4540, { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } };
66 static e_uuid_t uuid_bind_time_feature_nego_03 = { 0x6cb71c2c, 0x9812, 0x4540, { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } };
68 /* see [MS-OXRPC] Appendix A: Full IDL, http://msdn.microsoft.com/en-us/library/ee217991%28v=exchg.80%29.aspx */
95 };
101 };
107 };
109 #define DCE_RPC_DREP_FP_IEEE 0
110 #define DCE_RPC_DREP_FP_VAX 1
111 #define DCE_RPC_DREP_FP_CRAY 2
112 #define DCE_RPC_DREP_FP_IBM 3
120 };
122 /*
123 * Authentication services.
124 */
139 };
141 /*
142 * Protection levels.
143 */
152 };
154 /*
155 * Flag bits in first flag field in connectionless PDU header.
156 */
159 * fragment of a multi-PDU
160 * transmission */
162 a multi-PDU transmission */
164 * requested to send a `fack' PDU
165 * for the fragment */
167 * request */
169 * request */
171 * request */
174 /*
175 * Flag bits in second flag field in connectionless PDU header.
176 */
186 /*
187 * Flag bits in connection-oriented PDU header.
188 */
192 #define PFC_RESERVED_1 0x08
194 * of a single connection. */
196 * if true, guaranteed call did not
197 * execute. */
200 * was specified in the handle, and
201 * is present in the optional object
202 * field. If false, the object field
203 * is omitted. */
205 /*
206 * Tests whether a connection-oriented PDU is fragmented; returns TRUE if
207 * it's not fragmented (i.e., this is both the first *and* last fragment),
208 * and FALSE otherwise.
209 */
210 #define PFC_NOT_FRAGMENTED(hdr) \
211 ((hdr->flags&(PFC_FIRST_FRAG|PFC_LAST_FRAG)) == (PFC_FIRST_FRAG|PFC_LAST_FRAG))
213 /*
214 * Presentation context negotiation result.
215 */
222 };
224 /*
225 * Presentation context negotiation rejection reasons.
226 */
233 };
235 /*
236 * Reject reasons.
237 */
238 #define REASON_NOT_SPECIFIED 0
239 #define TEMPORARY_CONGESTION 1
240 #define LOCAL_LIMIT_EXCEEDED 2
242 #define PROTOCOL_VERSION_NOT_SUPPORTED 4
261 };
263 /*
264 * Reject status codes.
265 */
313 /* MS Windows specific values
314 * see: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes__1700-3999_.asp
315 * and: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/common_hresult_values.asp
316 * and: http://www.megos.ch/support/doserrors.txt
317 *
318 * XXX - we might need a way to dynamically add entries here, as higher layer protocols use these values too,
319 * at least MS protocols (like DCOM) do it that way ... */
349 };
352 /*
353 * RTS Flags
354 */
355 #define RTS_FLAG_NONE 0x0000
356 #define RTS_FLAG_PING 0x0001
357 #define RTS_FLAG_OTHER_CMD 0x0002
358 #define RTS_FLAG_RECYCLE_CHANNEL 0x0004
359 #define RTS_FLAG_IN_CHANNEL 0x0008
360 #define RTS_FLAG_OUT_CHANNEL 0x0010
361 #define RTS_FLAG_EOF 0x0020
362 #define RTS_FLAG_ECHO 0x0040
364 /*
365 * RTS Commands
366 */
368 #define RTS_CMD_RECEIVEWINDOWSIZE 0x0
369 #define RTS_CMD_FLOWCONTROLACK 0x1
370 #define RTS_CMD_CONNECTIONTIMEOUT 0x2
371 #define RTS_CMD_COOKIE 0x3
372 #define RTS_CMD_CHANNELLIFETIME 0x4
373 #define RTS_CMD_CLIENTKEEPALIVE 0x5
374 #define RTS_CMD_VERSION 0x6
375 #define RTS_CMD_EMPTY 0x7
376 #define RTS_CMD_PADDING 0x8
377 #define RTS_CMD_NEGATIVEANCE 0x9
378 #define RTS_CMD_ANCE 0xA
379 #define RTS_CMD_CLIENTADDRESS 0xB
380 #define RTS_CMD_ASSOCIATIONGROUPID 0xC
381 #define RTS_CMD_DESTINATION 0xD
382 #define RTS_CMD_PINGTRAFFICSENTNOTIFY 0xE
401 };
403 /*
404 * RTS client address type
405 */
406 #define RTS_IPV4 0
407 #define RTS_IPV6 1
413 };
415 /*
416 * RTS Forward destination
417 */
425 };
427 /* we need to keep track of what transport were used, ie what handle we came
428 * in through so we know what kind of pinfo->dce_smb_fid was passed to us.
429 */
430 /* Value of -1 is reserved for "not DCE packet" in packet_info.dcetransporttype. */
431 #define DCE_TRANSPORT_UNKNOWN 0
432 #define DCE_CN_TRANSPORT_SMBPIPE 1
437 /* field defines */
597 NULL
598 };
602 NULL
603 };
610 };
655 NULL,
657 /* Reassembled data field */
658 NULL,
659 "fragments"
660 };
662 /* list of hooks to be called when init_protocols is done */
663 GHookList dcerpc_hooks_init_protos;
667 {
671 di_counter++;
674 }
679 }
681 /* try to desegment big DCE/RPC packets over TCP? */
684 /* reassemble DCE/RPC fragments */
685 /* reassembly of cl dcerpc fragments will not work for the case where ONE frame
686 might contain multiple dcerpc fragments for different PDUs.
687 this case would be so unusual/weird so if you got captures like that:
688 too bad
690 reassembly of co dcerpc fragments will not work for the case where TCP/SMB frames
691 are coming in out of sequence, but that will hurt in a lot of other places as well.
692 */
698 address src;
699 address dst;
700 guint32 id;
701 e_uuid_t act_id;
704 static guint
706 {
708 guint hash_val;
718 }
720 static gint
722 {
726 /*key.id is the first item to compare since item is most
727 likely to differ between sessions, thus shortcircuiting
728 the comparison of addresses.
729 */
735 }
737 /* allocate a persistent dcerpc fragment key to insert in the hash */
741 {
751 }
753 /* allocate a persistent dcerpc fragment key to insert in the hash */
757 {
767 }
769 static void
771 {
776 }
778 static void
780 {
784 /*
785 * Free up the copies of the addresses from the old key.
786 */
791 }
792 }
795 dcerpc_fragment_hash,
796 dcerpc_fragment_equal,
797 dcerpc_fragment_temporary_key,
798 dcerpc_fragment_persistent_key,
799 dcerpc_fragment_free_temporary_key,
800 dcerpc_fragment_free_persistent_key
801 };
803 static void
805 {
806 /*
807 * XXX - addresses_ports_reassembly_table_functions?
808 * Or can a single connection-oriented DCE RPC session persist
809 * over multiple transport layer connections?
810 */
815 }
817 /*
818 * Authentication subdissectors. Used to dissect authentication blobs in
819 * DCERPC binds, requests and responses.
820 */
823 guint8 auth_level;
824 guint8 auth_type;
825 dcerpc_auth_subdissector_fns auth_fns;
832 {
833 gpointer data;
842 }
845 }
849 {
862 }
864 /* Hand off verifier data to a registered dissector */
871 {
873 /* XXX - "stub" a fake DCERPC INFO STRUCTURE
874 If a dcerpc_info is really needed, update
875 the call stacks to include it
876 */
877 FAKE_DCERPC_INFO_STRUCTURE
898 /* Don't know how to handle authentication data in this
899 pdu type. */
905 }
914 authn_protocol_vals,
916 }
917 }
919 /* Hand off payload data to a registered dissector */
925 gboolean is_request,
927 {
932 else
939 }
941 /*
942 * Subdissectors
943 */
945 /* the registered subdissectors */
948 static gint
950 {
955 }
957 static guint
959 {
961 /* This isn't perfect, but the Data1 part of these is almost always
962 unique. */
964 }
966 void
969 {
991 /* add this GUID to the global name resolving */
994 /* Register the samr.nt_password preference as obsolete */
995 /* This should be in packet-dcerpc-samr.c */
999 }
1000 }
1002 /* Function to find the name of a registered protocol
1003 * or NULL if the protocol/version is not known to wireshark.
1004 */
1007 {
1008 dcerpc_uuid_key key;
1015 }
1017 }
1019 /* Function to find the opnum hf-field of a registered protocol
1020 * or -1 if the protocol/version is not known to wireshark.
1021 */
1022 int
1024 {
1025 dcerpc_uuid_key key;
1032 }
1034 }
1036 /* Create a value_string consisting of DCERPC opnum and name from a
1037 subdissector array. */
1040 {
1045 again:
1051 num_sd++;
1052 }
1057 }
1063 }
1065 /* Function to find the subdissector table of a registered protocol
1066 * or NULL if the protocol/version is not known to wireshark.
1067 */
1068 dcerpc_sub_dissector *
1070 {
1071 dcerpc_uuid_key key;
1078 }
1080 }
1083 /*
1084 * To keep track of ctx_id mappings.
1085 *
1086 * Every time we see a bind call we update this table.
1087 * Note that we always specify a SMB FID. For non-SMB transports this
1088 * value is 0.
1089 */
1094 guint16 ctx_id;
1095 guint16 smb_fid;
1099 e_uuid_t uuid;
1100 guint16 ver;
1101 e_uuid_t transport;
1104 static gint
1106 {
1112 }
1114 static guint
1116 {
1118 guint hash;
1123 }
1125 /*
1126 * To keep track of callid mappings. Should really use some generic
1127 * conversation support instead.
1128 */
1134 guint32 call_id;
1135 guint16 smb_fid;
1140 guint32 seqnum;
1141 e_uuid_t act_id ;
1145 static gint
1147 {
1153 }
1155 static gint
1157 {
1163 }
1165 static guint
1167 {
1170 }
1172 static guint
1174 {
1182 }
1184 /* to keep track of matched calls/responses
1185 this one uses the same value struct as calls, but the key is the frame id
1186 and call id; there can be more than one call in a frame.
1188 XXX - why not just use the same keys as are used for calls?
1189 */
1194 guint32 frame;
1195 guint32 call_id;
1198 static gint
1200 {
1205 }
1207 static guint
1209 {
1212 }
1216 /*
1217 * Utility functions. Modeled after packet-rpc.c
1218 */
1220 int
1224 {
1225 guint8 data;
1230 }
1234 }
1236 int
1240 {
1241 guint16 data;
1249 }
1253 }
1255 int
1259 {
1260 guint32 data;
1268 }
1272 }
1274 /* handles 32 bit unix time_t */
1275 int
1279 {
1280 guint32 data;
1281 nstime_t tv;
1291 /* special case, no time specified */
1295 }
1296 }
1301 }
1303 int
1307 {
1308 guint64 data;
1317 /* This might be a field that is either 32bit, in NDR or
1318 64 bits in NDR64. So we must be careful and call the right
1319 helper here
1320 */
1333 }
1334 }
1338 }
1341 int
1345 {
1346 gfloat data;
1356 }
1362 /* ToBeDone: non IEEE floating formats */
1363 /* Set data to a negative infinity value */
1366 proto_tree_add_debug_text(tree, "DCE RPC: dissection of non IEEE floating formats currently not implemented (drep=%u)!", drep[1]);
1367 }
1368 }
1372 }
1375 int
1379 {
1380 gdouble data;
1390 }
1396 /* ToBeDone: non IEEE double formats */
1397 /* Set data to a negative infinity value */
1400 proto_tree_add_debug_text(tree, "DCE RPC: dissection of non IEEE double formats currently not implemented (drep=%u)!", drep[1]);
1401 }
1402 }
1406 }
1409 int
1413 {
1414 e_uuid_t uuid;
1421 }
1424 }
1427 }
1429 }
1432 /*
1433 * a couple simpler things
1434 */
1435 guint16
1437 {
1442 }
1443 }
1445 guint32
1447 {
1452 }
1453 }
1455 void
1457 {
1462 }
1463 }
1466 /* NDR arrays */
1467 /* function to dissect a unidimensional conformant array */
1468 int
1472 {
1473 guint32 i;
1479 }
1482 guint64 val;
1484 /* conformant run, just dissect the max_count header */
1494 /* we don't remember where in the bytestream this field was */
1495 proto_tree_add_uint(tree, hf_dcerpc_array_max_count, tvb, di->array_max_count_offset, conformance_size, di->array_max_count);
1497 /* real run, dissect the elements */
1500 }
1501 }
1504 }
1506 /* function to dissect a unidimensional conformant and varying array
1507 * depending on the dissection function passed as a parameter,
1508 * content of the array will be dissected as a block or byte by byte
1509 */
1510 static int
1515 {
1516 guint32 i;
1522 }
1525 guint64 val;
1527 /* conformant run, just dissect the max_count header */
1548 /* we don't remember where in the bytestream these fields were */
1549 proto_tree_add_uint(tree, hf_dcerpc_array_max_count, tvb, di->array_max_count_offset, conformance_size, di->array_max_count);
1550 proto_tree_add_uint(tree, hf_dcerpc_array_offset, tvb, di->array_offset_offset, conformance_size, di->array_offset);
1551 proto_tree_add_uint(tree, hf_dcerpc_array_actual_count, tvb, di->array_actual_count_offset, conformance_size, di->array_actual_count);
1553 /* real run, dissect the elements */
1562 }
1563 }
1564 }
1567 }
1569 int
1573 {
1575 }
1577 int
1581 {
1583 }
1584 /* function to dissect a unidimensional varying array */
1585 int
1589 {
1590 guint32 i;
1596 }
1599 guint64 val;
1601 /* conformant run, just dissect the max_count header */
1617 /* we don't remember where in the bytestream these fields were */
1618 proto_tree_add_uint(tree, hf_dcerpc_array_offset, tvb, di->array_offset_offset, conformance_size, di->array_offset);
1619 proto_tree_add_uint(tree, hf_dcerpc_array_actual_count, tvb, di->array_actual_count_offset, conformance_size, di->array_actual_count);
1621 /* real run, dissect the elements */
1624 }
1625 }
1628 }
1630 /* Dissect an string of bytes. This corresponds to
1631 IDL of the form '[string] byte *foo'.
1633 It can also be used for a conformant varying array of bytes if
1634 the contents of the array should be shown as a big blob, rather
1635 than showing each byte as an individual element.
1637 XXX - which of those is really the IDL type for, for example,
1638 the encrypted data in some MAPI packets? (Microsoft hasn't
1639 released that IDL.)
1641 XXX - does this need to do all the conformant array stuff that
1642 "dissect_ndr_ucvarray()" does? These are presumably for strings
1643 that are conformant and varying - they're stored like conformant
1644 varying arrays of bytes. */
1645 int
1648 {
1649 guint64 len;
1652 /* just a run to handle conformant arrays, no scalars to dissect */
1654 }
1656 /* NDR array header */
1672 }
1677 }
1679 /* For dissecting arrays that are to be interpreted as strings. */
1681 /* Dissect an NDR conformant varying string of elements.
1682 The length of each element is given by the 'size_is' parameter;
1683 the elements are assumed to be characters or wide characters.
1685 XXX - does this need to do all the conformant array stuff that
1686 "dissect_ndr_ucvarray()" does? */
1687 int
1691 {
1694 guint64 len;
1695 guint32 buffer_len;
1700 /* just a run to handle conformant arrays, no scalars to dissect */
1702 }
1711 }
1713 /* NDR array header */
1727 /* Adjust offset */
1732 /* XXX - use drep to determine the byte order? */
1733 /* XXX - once we have an ENC_ value for UTF-16, just use
1734 proto_tree_add_item() with the appropriate ENC_ value? */
1735 /* XXX - should this ever be used with something that's *not*
1736 an FT_STRING? */
1747 }
1748 }
1751 /*
1752 * "tvb_get_string()" throws an exception if the entire string
1753 * isn't in the tvbuff. If the length is bogus, this should
1754 * keep us from trying to allocate an immensely large buffer.
1755 * (It won't help if the length is *valid* but immensely large,
1756 * but that's another matter; in any case, that would happen only
1757 * if we had an immensely large tvbuff....)
1758 *
1759 * XXX - if this is an octet string, does the byte order
1760 * matter? Will this ever be anything *other* than an
1761 * octet string? What if size_is is neither 1 nor 2?
1762 */
1768 }
1781 }
1783 int
1787 {
1788 return dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, size_is, hfindex, add_subtree, data);
1789 }
1791 /* Dissect an conformant varying string of chars.
1792 This corresponds to IDL of the form '[string] char *foo'.
1794 XXX - at least according to the DCE RPC 1.1 spec, a string has
1795 a null terminator, which isn't necessary as a terminator for
1796 the transfer language (as there's a length), but is presumably
1797 there for the benefit of null-terminated-string languages
1798 such as C. Is this ever used for purely counted strings?
1799 (Not that it matters if it is.) */
1800 int
1803 {
1807 }
1809 /* Dissect a conformant varying string of wchars (wide characters).
1810 This corresponds to IDL of the form '[string] wchar *foo'
1812 XXX - at least according to the DCE RPC 1.1 spec, a string has
1813 a null terminator, which isn't necessary as a terminator for
1814 the transfer language (as there's a length), but is presumably
1815 there for the benefit of null-terminated-string languages
1816 such as C. Is this ever used for purely counted strings?
1817 (Not that it matters if it is.) */
1818 int
1821 {
1825 }
1827 /* This function is aimed for PIDL usage and dissects a UNIQUE pointer to
1828 * unicode string.
1829 */
1830 int
1831 PIDL_dissect_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int chsize, int hfindex, guint32 param)
1832 {
1841 /* Append string to COL_INFO */
1844 }
1845 /* Save string to dcv->private_data */
1850 }
1851 /* Append string to upper-level proto_items */
1855 levels--;
1859 levels--;
1863 levels--;
1864 }
1865 }
1866 }
1868 }
1871 }
1873 /* Dissect an NDR varying string of elements.
1874 The length of each element is given by the 'size_is' parameter;
1875 the elements are assumed to be characters or wide characters.
1876 */
1877 int
1881 {
1884 guint64 len;
1885 guint32 buffer_len;
1890 /* just a run to handle conformant arrays, no scalars to dissect */
1892 }
1901 }
1903 /* NDR array header */
1913 /* Adjust offset */
1918 /* XXX - use drep to determine the byte order? */
1919 /* XXX - once we have an ENC_ value for UTF-16, just use
1920 proto_tree_add_item() with the appropriate ENC_ value? */
1921 /* XXX - should this ever be used with something that's *not*
1922 an FT_STRING? */
1933 }
1934 }
1937 /*
1938 * "tvb_get_string()" throws an exception if the entire string
1939 * isn't in the tvbuff. If the length is bogus, this should
1940 * keep us from trying to allocate an immensely large buffer.
1941 * (It won't help if the length is *valid* but immensely large,
1942 * but that's another matter; in any case, that would happen only
1943 * if we had an immensely large tvbuff....)
1944 *
1945 * XXX - if this is an octet string, does the byte order
1946 * matter? Will this ever be anything *other* than an
1947 * octet string? What if size_is is neither 1 nor 2?
1948 */
1954 }
1967 }
1969 /* Dissect an varying string of chars.
1970 This corresponds to IDL of the form '[string] char *foo'.
1972 XXX - at least according to the DCE RPC 1.1 spec, a string has
1973 a null terminator, which isn't necessary as a terminator for
1974 the transfer language (as there's a length), but is presumably
1975 there for the benefit of null-terminated-string languages
1976 such as C. Is this ever used for purely counted strings?
1977 (Not that it matters if it is.) */
1978 int
1981 {
1985 }
1987 /* Dissect a varying string of wchars (wide characters).
1988 This corresponds to IDL of the form '[string] wchar *foo'
1990 XXX - at least according to the DCE RPC 1.1 spec, a string has
1991 a null terminator, which isn't necessary as a terminator for
1992 the transfer language (as there's a length), but is presumably
1993 there for the benefit of null-terminated-string languages
1994 such as C. Is this ever used for purely counted strings?
1995 (Not that it matters if it is.) */
1996 int
1999 {
2003 }
2006 /* ndr pointer handling */
2007 /* list of pointers encountered so far */
2010 /* position where in the list to insert newly encountered pointers */
2013 /* Boolean controlling whether pointers are top-level or embedded */
2016 /* as a kludge, we represent all embedded reference pointers as id == -1
2017 hoping that his will not collide with any non-ref pointers */
2019 guint32 id;
2028 void
2030 {
2037 }
2042 }
2044 int
2045 dissect_deferred_pointers(packet_info *pinfo, tvbuff_t *tvb, int offset, dcerpc_info *di, guint8 *drep)
2046 {
2069 /* first a run to handle any conformant
2070 array headers */
2077 /* This is to check for any bugs in the dissectors.
2078 *
2079 * Basically, the NDR representation will store all
2080 * arrays in two blocks, one block with the dimension
2081 * description, like size, number of elements and such,
2082 * and another block that contains the actual data stored
2083 * in the array.
2084 * If the array is embedded directly inside another,
2085 * encapsulating aggregate type, like a union or struct,
2086 * then these two blocks will be stored at different places
2087 * in the bytestream, with other data between the blocks.
2088 *
2089 * For this reason, all pointers to types (both aggregate
2090 * and scalar, for simplicity no distinction is made)
2091 * will have its dissector called twice.
2092 * The dissector will first be called with conformant_run == 1
2093 * in which mode the dissector MUST NOT consume any data from
2094 * the tvbuff (i.e. may not dissect anything) except the
2095 * initial control block for arrays.
2096 * The second time the dissector is called, with
2097 * conformant_run == 0, all other data for the type will be
2098 * dissected.
2099 *
2100 * All dissect_ndr_<type> dissectors are already prepared
2101 * for this and knows when it should eat data from the tvb
2102 * and when not to, so implementors of dissectors will
2103 * normally not need to worry about this or even know about
2104 * it. However, if a dissector for an aggregate type calls
2105 * a subdissector from outside packet-dcerpc.c, such as
2106 * the dissector in packet-smb.c for NT Security Descriptors
2107 * as an example, then it is VERY important to encapsulate
2108 * this call to an external subdissector with the appropriate
2109 * test for conformant_run, i.e. it will need something like
2110 *
2111 * dcerpc_info *di (received as function parameter)
2112 *
2113 * if (di->conformant_run) {
2114 * return offset;
2115 * }
2116 *
2117 * to make sure it makes the right thing.
2118 * This assert will signal when someone has forgotten to
2119 * make the dissector aware of this requirement.
2120 */
2122 /* now we dissect the actual pointer */
2127 tnpd->callback(pinfo, tnpd->tree, tnpd->item, di, tvb, old_offset, offset, tnpd->callback_args);
2130 }
2131 }
2135 }
2138 static void
2142 {
2145 /* check if this pointer is valid */
2155 }
2156 }
2158 /* if we haven't seen the request bail out since we cant
2159 know whether this is the first non-NULL instance
2160 or not */
2162 /* XXX THROW EXCEPTION */
2163 }
2165 /* We saw this one in the request frame, nothing to
2166 dissect later */
2169 }
2170 }
2171 }
2182 ndr_pointer_list_pos);
2183 ndr_pointer_list_pos++;
2184 }
2187 static int
2189 {
2199 }
2200 }
2201 }
2204 }
2206 /* This function dissects an NDR pointer and stores the callback for later
2207 * deferred dissection.
2208 *
2209 * fnct is the callback function for when we have reached this object in
2210 * the bytestream.
2211 *
2212 * type is what type of pointer.
2213 *
2214 * this is text is what text we should put in any created tree node.
2215 *
2216 * hf_index is what hf value we want to pass to the callback function when
2217 * it is called, the callback can later pick this one up from di->hf_index.
2218 *
2219 * callback is executed after the pointer has been dereferenced.
2220 *
2221 * callback_args is passed as an argument to the callback function
2222 *
2223 * See packet-dcerpc-samr.c for examples
2224 */
2225 int
2230 {
2236 /* this call was only for dissecting the header for any
2237 embedded conformant array. we will not parse any
2238 pointers in this mode.
2239 */
2241 }
2244 }
2247 /*TOP LEVEL REFERENCE POINTER*/
2252 /* we must find out a nice way to do the length here */
2260 }
2262 /*TOP LEVEL FULL POINTER*/
2266 guint64 id;
2269 /* get the referent id */
2273 /* we got a NULL pointer */
2276 pointer_size,
2279 }
2281 /* see if we have seen this pointer before */
2285 /* we have seen this pointer before */
2288 pointer_size,
2291 }
2293 /* new pointer */
2295 pointer_size,
2303 }
2304 /*TOP LEVEL UNIQUE POINTER*/
2307 guint64 id;
2310 /* get the referent id */
2314 /* we got a NULL pointer */
2317 pointer_size,
2320 }
2322 /* new pointer */
2325 pointer_size,
2333 }
2335 /*EMBEDDED REFERENCE POINTER*/
2338 guint64 id;
2341 /* get the referent id */
2345 /* new pointer */
2347 pointer_size,
2356 }
2358 /*EMBEDDED UNIQUE POINTER*/
2361 guint64 id;
2364 /* get the referent id */
2368 /* we got a NULL pointer */
2371 pointer_size,
2374 }
2376 /* new pointer */
2378 pointer_size,
2387 }
2389 /*EMBEDDED FULL POINTER*/
2393 guint64 id;
2396 /* get the referent id */
2400 /* we got a NULL pointer */
2403 pointer_size,
2406 }
2408 /* see if we have seen this pointer before */
2412 /* we have seen this pointer before */
2415 pointer_size,
2418 }
2420 /* new pointer */
2422 pointer_size,
2430 }
2433 after_ref_id:
2434 /* After each top level pointer we have dissected we have to
2435 dissect all deferrals before we move on to the next top level
2436 argument */
2441 }
2443 /* Set the length for the new subtree */
2446 }
2448 }
2450 int
2454 {
2458 }
2459 int
2463 {
2471 }
2472 int
2476 {
2484 }
2486 static void
2489 {
2491 guint auth_pad_offset;
2493 /*
2494 * We don't show stub data unless we have some in the tvbuff;
2495 * however, in the protocol tree, we show, as the number of
2496 * bytes, the reported number of bytes, not the number of bytes
2497 * that happen to be in the tvbuff.
2498 */
2503 /* if auth_pad_len is larger than length then we ignore auth_pad_len totally */
2508 }
2518 /* is the padding is still inside the encrypted blob, don't display it explicit */
2525 }
2531 }
2532 /* If there is auth padding at the end of the stub, display it */
2536 auth_pad_len,
2538 auth_pad_len,
2540 }
2541 }
2542 }
2544 static int
2545 dissect_verification_trailer(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *parent_tree)
2546 {
2558 }
2563 }
2574 }
2575 //XXX DISSECTOR_ASSERT(offset % 4);
2587 hf_dcerpc_sec_vt_command,
2588 ett_dcerpc_sec_vt_command,
2589 sec_vt_command_fields,
2590 ENC_LITTLE_ENDIAN);
2599 hf_dcerpc_sec_vt_bitmask,
2600 ett_dcerpc_sec_vt_bitmask,
2601 sec_vt_bitmask_fields,
2602 ENC_LITTLE_ENDIAN);
2608 }
2612 }
2613 }
2617 }
2619 static int
2625 {
2627 dcerpc_uuid_key key;
2647 /*
2648 * We don't have a dissector for this UUID, or the protocol
2649 * for that UUID is disabled.
2650 */
2660 FALSE);
2664 }
2670 }
2671 }
2679 else
2696 else
2698 }
2700 /*
2701 * Put the operation number into the tree along with
2702 * the operation's name.
2703 */
2710 else
2721 }
2726 }
2730 /* Either there was no encryption or we successfully decrypted
2731 the encrypted payload. */
2733 /* We have a subdissector - call it. */
2742 /*
2743 * Remove the authentication padding from the stub data.
2744 */
2747 /*
2748 * OK, the padding length isn't so big that it
2749 * exceeds the stub length. Trim the reported
2750 * length of the tvbuff.
2751 */
2754 /*
2755 * If that exceeds the actual amount of data in
2756 * the tvbuff (which means we have at least one
2757 * byte of authentication padding in the tvbuff),
2758 * trim the actual amount.
2759 */
2767 /*
2768 * The padding length exceeds the stub length.
2769 * Don't bother dissecting the stub, trim the padding
2770 * length to what's in the stub data, and show the
2771 * entire stub as authentication padding.
2772 */
2777 }
2779 /*
2780 * No authentication padding.
2781 */
2785 }
2789 }
2792 /*
2793 * Catch all exceptions other than BoundsError, so that even
2794 * if the stub data is bad, we still show the authentication
2795 * padding, if any.
2796 *
2797 * If we get BoundsError, it means the frame was cut short
2798 * by a snapshot length, so there's nothing more to
2799 * dissect; just re-throw that exception.
2800 */
2801 TRY {
2810 /* If we have a subdissector and it didn't dissect all
2811 data in the tvb, make a note of it. */
2815 remaining,
2817 remaining,
2821 remaining,
2824 }
2826 /*
2827 * Somebody threw an exception that means that there
2828 * was a problem dissecting the payload; that means
2829 * that a dissector was found, so we don't need to
2830 * dissect the payload as data or update the protocol
2831 * or info columns.
2832 *
2833 * Just show the exception and then drive on to show
2834 * the authentication padding.
2835 */
2838 }
2840 /* If there is auth padding at the end of the stub, display it */
2844 auth_pad_len,
2846 auth_pad_len,
2848 }
2852 /* No subdissector - show it as stub data. */
2857 }
2858 }
2864 }
2866 static int
2870 {
2888 /*
2889 * Catch all bounds-error exceptions, so that even if the
2890 * verifier is bad or we don't have all of it, we still
2891 * show the stub data.
2892 */
2893 TRY {
2903 }
2904 }
2907 }
2909 static void
2913 {
2916 /*
2917 * Initially set auth_level and auth_type to zero to indicate that we
2918 * haven't yet seen any authentication level information.
2919 */
2925 /*
2926 * The authentication information is at the *end* of the PDU; in
2927 * request and response PDUs, the request and response stub data
2928 * come before it.
2929 *
2930 * Is there any authentication data (i.e., is the authentication length
2931 * non-zero), and is the authentication length valid (i.e., is it, plus
2932 * 8 bytes for the type/level/pad length/reserved/context id, less than
2933 * or equal to the fragment length minus the starting offset of the
2934 * stub data?)
2935 */
2940 /*
2941 * Yes, there is authentication data, and the length is valid.
2942 * Do we have all the bytes of stub data?
2943 * (If not, we'd throw an exception dissecting *that*, so don't
2944 * bother trying to dissect the authentication information and
2945 * throwing another exception there.)
2946 */
2949 /*
2950 * Either there's no stub data, or the last byte of the stub
2951 * data is present in the captured data, so we shouldn't
2952 * get a BoundsError dissecting the stub data.
2953 *
2954 * Try dissecting the authentication data.
2955 * Catch all exceptions, so that even if the auth info is bad
2956 * or we don't have all of it, we still show the stuff we
2957 * dissect after this, such as stub data.
2958 */
2959 TRY {
2961 hf_dcerpc_auth_type,
2964 hf_dcerpc_auth_level,
2968 hf_dcerpc_auth_pad_len,
2975 /*
2976 * Dissect the authentication data.
2977 */
2990 else
2993 }
2995 /* Compute the size of the auth block. Note that this should not
2996 include auth padding, since when NTLMSSP encryption is used, the
2997 padding is actually inside the encrypted stub */
3002 }
3003 }
3004 }
3007 /* We need to hash in the SMB fid number to generate a unique hash table
3008 * key as DCERPC over SMB allows several pipes over the same TCP/IP
3009 * socket.
3010 * We pass this function the transport type here to make sure we only look
3011 * at this function if it came across an SMB pipe.
3012 * Other transports might need to mix in their own extra multiplexing data
3013 * as well in the future.
3014 */
3017 {
3020 /* DCERPC over smb */
3022 }
3024 /* Some other transport... */
3026 }
3028 /*
3029 * Connection oriented packet types
3030 */
3032 static void
3035 {
3038 guint i;
3039 guint16 ctx_id;
3040 guint8 num_trans_items;
3041 guint j;
3042 e_uuid_t if_id;
3043 e_uuid_t trans_id;
3044 guint32 trans_ver;
3046 dcerpc_auth_info auth_info;
3063 /* padding */
3076 /* save context ID for use with dcerpc_add_conv_to_bind_table() */
3077 /* (if we have multiple contexts, this might cause "decode as"
3078 * to behave unpredictably) */
3084 ENC_NA);
3086 }
3095 }
3097 /* padding */
3103 iface_item = proto_tree_add_item(ctx_tree, hf_dcerpc_cn_bind_abstract_syntax, tvb, offset, 0, ENC_NA);
3118 }
3119 }
3132 }
3137 }
3148 trans_item = proto_tree_add_item(ctx_tree, hf_dcerpc_cn_bind_trans_syntax, tvb, offset, 0, ENC_NA);
3155 uuid_item = proto_tree_add_guid_format(trans_tree, hf_dcerpc_cn_bind_trans_id, tvb, offset, 16, (e_guid_t *) &trans_id, "Transfer Syntax: %s UUID:%s", uuid_name, uuid_str);
3159 uuid_item = proto_tree_add_guid_format(trans_tree, hf_dcerpc_cn_bind_trans_id, tvb, offset, 16, (e_guid_t *) &trans_id, "Transfer Syntax: %s", uuid_str);
3162 }
3164 /* check for [MS-RPCE] 3.3.1.5.3 Bind Time Feature Negotiation */
3167 proto_tree_add_boolean(uuid_tree, hf_dcerpc_cn_bind_trans_btfn_01, tvb, offset+8, 1, trans_id.Data4[0]);
3168 proto_tree_add_boolean(uuid_tree, hf_dcerpc_cn_bind_trans_btfn_02, tvb, offset+8, 1, trans_id.Data4[0]);
3169 }
3170 }
3178 }
3179 }
3181 /* if this is the first time we've seen this packet, we need to
3182 update the dcerpc_binds table so that any later calls can
3183 match to the interface.
3184 XXX We assume that BINDs will NEVER be fragmented.
3185 */
3200 /* add this entry to the bind table */
3202 }
3212 }
3213 }
3215 /*
3216 * XXX - we should save the authentication type *if* we have
3217 * an authentication header, and associate it with an authentication
3218 * context, so subsequent PDUs can use that context.
3219 */
3221 }
3223 static void
3226 {
3228 guint16 sec_addr_len;
3229 guint8 num_results;
3230 guint i;
3233 e_uuid_t trans_id;
3234 guint32 trans_ver;
3235 dcerpc_auth_info auth_info;
3255 }
3259 }
3264 /* padding */
3277 }
3283 /* [MS-RPCE] 3.3.1.5.3 check if this Ctx Item is the response to a Bind Time Feature Negotiation request */
3286 offset = dissect_dcerpc_uint16(tvb, offset, pinfo, ctx_tree, hdr->drep, hf_dcerpc_cn_ack_btfn, &reason);
3294 /*
3295 * The reason for rejection isn't meaningful, and often isn't
3296 * set, when the syntax was accepted.
3297 */
3299 }
3308 }
3311 uuid_name);
3313 }
3322 }
3324 /*
3325 * XXX - do we need to do anything with the authentication level
3326 * we get back from this?
3327 */
3329 }
3331 static void
3334 {
3335 guint16 reason;
3336 guint8 num_protocols;
3337 guint i;
3348 hf_dcerpc_cn_num_protocols,
3354 NULL);
3357 NULL);
3358 }
3359 }
3360 }
3362 /* Return a string describing a DCE/RPC fragment as first, middle, or end
3363 fragment. */
3365 #define PFC_FRAG_MASK 0x03
3369 {
3374 "Single"
3375 };
3377 }
3379 /* Dissect stub data (payload) of a DCERPC packet. */
3381 static void
3386 guint32 frame)
3387 {
3389 gboolean save_fragmented;
3403 /* We don't even have enough bytes for the authentication
3404 stuff. */
3406 }
3413 /*don't bother if we don't have the entire tvb */
3414 /*XXX we should really make sure we calculate auth_info->auth_data
3415 and use that one instead of this auth_tvb hack
3416 */
3420 }
3421 }
3423 /* Decrypt the PDU if it is encrypted */
3427 /*
3428 * We know the authentication type, and the authentication
3429 * level is "Packet privacy", meaning the payload is
3430 * encrypted; attempt to decrypt it.
3431 */
3434 /* Start out assuming we won't succeed in decrypting. */
3436 /* Schannel needs information into the footer (verifier) in order to setup decryption keys
3437 * so we call it in order to have a chance to decipher the data
3438 */
3441 }
3463 /* We succeeded. */
3465 }
3466 }
3470 /* if this packet is not fragmented, just dissect it and exit */
3480 }
3482 /* The packet is fragmented. */
3485 /* debug output of essential fragment data. */
3486 /* leave it here for future debugging sessions */
3487 /*printf("DCE num:%u offset:%u frag_len:%u tvb_len:%u\n",
3488 pinfo->fd->num, offset, hdr->frag_len, tvb_length(decrypted_tvb));*/
3490 /* if we are not doing reassembly and this is the first fragment
3491 then just dissect it and exit
3492 XXX - if we're not doing reassembly, can we decrypt an
3493 encrypted stub?
3494 */
3501 expert_add_info_format(pinfo, NULL, &ei_dcerpc_fragment, "%s fragment", fragment_type(hdr->flags));
3505 }
3507 /* if we have already seen this packet, see if it was reassembled
3508 and if so dissect the full pdu.
3509 then exit
3510 */
3514 }
3516 /* if we are not doing reassembly and it was neither a complete PDU
3517 nor the first fragment then there is nothing more we can do
3518 so we just have to exit
3519 */
3523 /* if we didn't get 'frame' we don't know where the PDU started and thus
3524 it is pointless to continue
3525 */
3529 /* from now on we must attempt to reassemble the PDU
3530 */
3532 /* if we get here we know it is the first time we see the packet
3533 and we also know it is only a fragment and not a full PDU,
3534 thus we must reassemble it.
3535 */
3537 /* Do we have any non-encrypted data to reassemble? */
3539 /* No. We can't even try to reassemble. */
3541 }
3543 /* defragmentation is a bit tricky, as there's no offset of the fragment
3544 * in the protocol data.
3545 *
3546 * just use fragment_add_seq_next() and hope that TCP/SMB segments coming
3547 * in with the correct sequence.
3548 */
3554 end_cn_stub:
3556 /* if reassembly is complete and this is the last fragment
3557 * (multiple fragments in one PDU are possible!)
3558 * dissect the full PDU
3559 */
3572 /* the toplevel fragment subtree is now behind all desegmented data,
3573 * move it right behind the DCE/RPC tree */
3577 }
3581 expert_add_info_format(pinfo, frag_tree_item, &ei_dcerpc_fragment_reassembled, "%s fragment, reassembled", fragment_type(hdr->flags));
3593 }
3598 }
3601 expert_add_info_format(pinfo, NULL, &ei_dcerpc_fragment_reassembled, "%s fragment, reassembled in #%u", fragment_type(hdr->flags), fd_head->reassembled_in);
3602 }
3604 /* Reassembly not complete - some fragments
3605 are missing. Just show the stub data. */
3606 expert_add_info_format(pinfo, NULL, &ei_dcerpc_fragment, "%s fragment", fragment_type(hdr->flags));
3612 }
3613 }
3616 }
3618 /**
3619 * Registers a conversation/UUID binding association, so that
3620 * we can invoke the proper sub-dissector for a given DCERPC
3621 * conversation.
3622 *
3623 * @param binding all values needed to create and bind a new conversation
3624 *
3625 * @return Pointer to newly-added UUID/conversation binding.
3626 */
3629 {
3652 }
3657 /* For now, assume all DCE/RPC we pick from "decode as" is using
3658 standard ndr and not ndr64.
3659 We should make this selectable from the dialog in the future
3660 */
3668 /* add this entry to the bind table */
3673 }
3675 static void
3679 {
3681 guint16 ctx_id;
3682 guint16 opnum;
3684 dcerpc_auth_info auth_info;
3685 guint32 alloc_hint;
3697 }
3702 /* save context ID for use with dcerpc_add_conv_to_bind_table() */
3714 }
3716 }
3718 /*
3719 * XXX - what if this was set when the connection was set up,
3720 * and we just have a security context?
3721 */
3732 /* !!! we can NOT check flags.visited here since this will interact
3733 badly with when SMB handles (i.e. calls the subdissector)
3734 and desegmented pdu's .
3735 Instead we check if this pdu is already in the matched table or not
3736 */
3741 dcerpc_bind_key bind_key;
3750 dcerpc_cn_call_key call_key;
3757 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof (dcerpc_matched_key));
3761 }
3766 /* We found the binding and it is the first fragment
3767 (or a complete PDU) of a dcerpc pdu so just add
3768 the call to both the call table and the
3769 matched table
3770 */
3776 /* if there is already a matching call in the table
3777 remove it so it is replaced with the new one */
3780 }
3797 }
3801 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof (dcerpc_matched_key));
3805 }
3806 }
3807 }
3813 /* handoff this call */
3827 }
3828 }
3834 /* no bind information, simply show stub data */
3835 proto_tree_add_expert_format(dcerpc_tree, pinfo, &ei_dcerpc_cn_ctx_id_no_bind, tvb, offset, 0, "No bind info for interface Context ID %u - capture start too late?", ctx_id);
3837 }
3838 }
3840 /* Dissect the verifier */
3843 }
3845 static void
3849 {
3852 guint16 ctx_id;
3853 dcerpc_auth_info auth_info;
3854 guint32 alloc_hint;
3867 }
3869 /* save context ID for use with dcerpc_add_conv_to_bind_table() */
3876 /* padding */
3877 offset++;
3879 /*
3880 * XXX - what if this was set when the connection was set up,
3881 * and we just have a security context?
3882 */
3889 /* no point in creating one here, really */
3894 /* !!! we can NOT check flags.visited here since this will interact
3895 badly with when SMB handles (i.e. calls the subdissector)
3896 and desegmented pdu's .
3897 Instead we check if this pdu is already in the matched table or not
3898 */
3903 dcerpc_cn_call_key call_key;
3911 /* extra sanity check, only match them if the reply
3912 came after the request */
3914 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof (dcerpc_matched_key));
3920 }
3921 }
3922 }
3923 }
3929 /* handoff this call */
3938 /* (optional) "Object UUID" from request */
3944 }
3946 /* request in */
3948 nstime_t delta_ts;
3954 }
3960 }
3966 /* no bind information, simply show stub data */
3967 proto_tree_add_expert_format(dcerpc_tree, pinfo, &ei_dcerpc_cn_ctx_id_no_bind, tvb, offset, 0, "No bind info for interface Context ID %u - capture start too late?", ctx_id);
3969 }
3970 }
3972 /* Dissect the verifier */
3974 }
3976 static void
3979 {
3982 guint16 ctx_id;
3983 guint32 status;
3984 guint32 alloc_hint;
3985 dcerpc_auth_info auth_info;
3996 /* padding */
3997 offset++;
3999 #if 0
4002 #endif
4007 pi = proto_tree_add_item(dcerpc_tree, hf_dcerpc_cn_status, tvb, offset, 4, DREP_ENC_INTEGER(hdr->drep));
4010 expert_add_info_format(pinfo, pi, &ei_dcerpc_cn_status, "Fault: %s", val_to_str(status, reject_status_vals, "Unknown (0x%08x)"));
4012 /* save context ID for use with dcerpc_add_conv_to_bind_table() */
4020 /* padding */
4023 /*
4024 * XXX - what if this was set when the connection was set up,
4025 * and we just have a security context?
4026 */
4032 /* no point in creating one here, really */
4036 /* !!! we can NOT check flags.visited here since this will interact
4037 badly with when SMB handles (i.e. calls the subdissector)
4038 and desegmented pdu's .
4039 Instead we check if this pdu is already in the matched table or not
4040 */
4045 dcerpc_cn_call_key call_key;
4053 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof (dcerpc_matched_key));
4060 }
4062 }
4063 }
4071 /* handoff this call */
4080 nstime_t delta_ts;
4087 }
4093 }
4096 /* as we now create a tvb in dissect_dcerpc_cn() containing only the
4097 * stub_data, the following calculation is no longer valid:
4098 * stub_length = hdr->frag_len - offset - auth_info.auth_size;
4099 * simply use the remaining length of the tvb instead.
4100 * XXX - or better use the reported_length?!?
4101 */
4106 /* If we don't have reassembly enabled, or this packet contains
4107 the entire PDU, or if we don't have all the data in this
4108 fragment, just call the handoff directly if this is the
4109 first fragment or the PDU isn't fragmented. */
4113 /* First fragment, possibly the only fragment */
4114 /*
4115 * XXX - should there be a third routine for each
4116 * function in an RPC subdissector, to handle
4117 * fault responses? The DCE RPC 1.1 spec says
4118 * three's "stub data" here, which I infer means
4119 * that it's protocol-specific and call-specific.
4120 *
4121 * It should probably get passed the status code
4122 * as well, as that might be protocol-specific.
4123 */
4129 stub_length,
4131 }
4132 }
4134 /* PDU is fragmented and this isn't the first fragment */
4140 stub_length,
4142 }
4143 }
4144 }
4146 /* Reassembly is enabled, the PDU is fragmented, and
4147 we have all the data in the fragment; the first two
4148 of those mean we should attempt reassembly, and the
4149 third means we can attempt reassembly. */
4155 stub_length,
4157 }
4158 }
4164 stub_length,
4165 TRUE);
4166 }
4174 stub_length,
4175 TRUE);
4178 /* We completed reassembly */
4187 /*
4188 * XXX - should there be a third routine for each
4189 * function in an RPC subdissector, to handle
4190 * fault responses? The DCE RPC 1.1 spec says
4191 * three's "stub data" here, which I infer means
4192 * that it's protocol-specific and call-specific.
4193 *
4194 * It should probably get passed the status code
4195 * as well, as that might be protocol-specific.
4196 */
4202 stub_length,
4204 }
4205 }
4206 }
4207 }
4213 stub_length,
4214 TRUE);
4215 }
4216 }
4217 }
4218 }
4219 }
4220 }
4222 static void
4225 {
4229 guint16 rts_flags;
4232 guint32 i;
4235 /* Dissect specific RTS header */
4242 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_none, tvb, offset, 1, rts_flags);
4243 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_ping, tvb, offset, 1, rts_flags);
4244 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_other_cmd, tvb, offset, 1, rts_flags);
4245 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_recycle_channel, tvb, offset, 1, rts_flags);
4246 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_in_channel, tvb, offset, 1, rts_flags);
4247 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_out_channel, tvb, offset, 1, rts_flags);
4248 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_eof, tvb, offset, 1, rts_flags);
4249 }
4255 /* Create the RTS PDU tree - we do not yet know its name */
4256 tf = proto_tree_add_text(dcerpc_tree, tvb, offset, tvb_length_remaining(tvb, offset), "RTS PDU: %u commands", commands_nb);
4261 /* Dissect commands */
4271 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_receivewindowsize, NULL);
4274 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_fack_bytesreceived, NULL);
4275 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_fack_availablewindow, NULL);
4276 offset = dissect_dcerpc_uuid_t(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_fack_channelcookie, NULL);
4279 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_connectiontimeout, NULL);
4282 offset = dissect_dcerpc_uuid_t(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_cookie, NULL);
4285 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_channellifetime, NULL);
4288 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_clientkeepalive, NULL);
4291 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_version, NULL);
4298 proto_tree_add_uint(cn_rts_command_tree, hf_dcerpc_cn_rts_command_conformancecount, tvb, offset, 4, conformance_count);
4301 proto_tree_add_bytes(cn_rts_command_tree, hf_dcerpc_cn_rts_command_padding, tvb, offset, conformance_count, padding);
4311 proto_tree_add_uint(cn_rts_command_tree, hf_dcerpc_cn_rts_command_addrtype, tvb, offset, 4, addrtype);
4325 }
4327 proto_tree_add_bytes(cn_rts_command_tree, hf_dcerpc_cn_rts_command_padding, tvb, offset, 12, padding);
4331 offset = dissect_dcerpc_uuid_t(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_associationgroupid, NULL);
4334 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_forwarddestination, NULL);
4337 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_pingtrafficsentnotify, NULL);
4342 }
4343 }
4347 /* Define which PDU Body we are dealing with */
4366 }
4373 }
4378 }
4385 }
4388 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x4) && (cmd[4] == 0x5) && (cmd[5] == 0xC)) {
4390 }
4394 }
4404 }
4408 }
4419 }
4424 }
4428 }
4435 }
4440 }
4443 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x3) && (cmd[4] == 0x0)) {
4445 }
4449 }
4454 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x3) && (cmd[4] == 0x0) && (cmd[5] == 0x2)) {
4456 }
4460 }
4464 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x0) && (cmd[4] == 0x2) && (cmd[5] == 0xC) && (cmd[6] == 0xB)) {
4466 }
4470 }
4474 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x3) && (cmd[4] == 0x4) && (cmd[5] == 0) && (cmd[6] == 0x2)) {
4476 }
4480 }
4487 }
4494 }
4497 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x4) && (cmd[4] == 0x0)) {
4499 }
4503 }
4509 }
4513 }
4522 }
4526 }
4534 }
4535 }
4537 /*
4538 * DCERPC dissector for connection oriented calls.
4539 * We use transport type to later multiplex between what kind of
4540 * pinfo->private_data structure to expect.
4541 */
4542 static gboolean
4545 {
4555 e_dce_cn_common_hdr_t hdr;
4556 dcerpc_auth_info auth_info;
4559 /*
4560 * when done over nbt, dcerpc requests are padded with 4 bytes of null
4561 * data for some reason.
4562 *
4563 * XXX - if that's always the case, the right way to do this would
4564 * be to have a "dissect_dcerpc_cn_nb" routine which strips off
4565 * the 4 bytes of null padding, and make that the dissector
4566 * used for "netbios".
4567 */
4570 /*
4571 * Skip the padding.
4572 */
4575 }
4576 /*
4577 * Check if this looks like a C/O DCERPC call
4578 */
4581 }
4602 /*offset += 4;*/
4607 /* this is not the first DCE-RPC request/response in this (TCP?-)PDU,
4608 * prepend a delimiter */
4610 }
4618 }
4623 /* this is not the first DCE-RPC request/response in this (TCP?-)PDU,
4624 * append a delimiter and set a column fence */
4627 }
4632 /* this is not the first DCE-RPC request/response in this (TCP?-)PDU */
4634 }
4641 }
4644 offset++;
4647 offset++;
4650 offset++;
4655 expert_add_info_format(pinfo, tf, &ei_dcerpc_context_change, "Context change: %s", val_to_str(hdr.ptype, pckt_vals, "(0x%x)"));
4656 #endif
4667 }
4673 proto_tree_add_boolean(cn_flags_tree, hf_dcerpc_cn_flags_cancel_pending, tvb, offset, 1, hdr.flags);
4674 proto_tree_add_boolean(cn_flags_tree, hf_dcerpc_cn_flags_last_frag, tvb, offset, 1, hdr.flags);
4675 proto_tree_add_boolean(cn_flags_tree, hf_dcerpc_cn_flags_first_frag, tvb, offset, 1, hdr.flags);
4676 offset++;
4683 }
4700 }
4702 /*
4703 * None of the stuff done above should throw an exception, because
4704 * we would have rejected this as "not DCE RPC" if we didn't have all
4705 * of it. (XXX - perhaps we should request reassembly if we have
4706 * enough of the header to consider it DCE RPC but not enough to
4707 * get the fragment length; in that case the stuff still wouldn't
4708 * throw an exception.)
4709 *
4710 * The rest of the stuff might, so return the PDU length to our caller.
4711 * XXX - should we construct a tvbuff containing only the PDU and
4712 * use that? Or should we have separate "is this a DCE RPC PDU",
4713 * "how long is it", and "dissect it" routines - which might let us
4714 * do most of the work in "tcp_dissect_pdus()"?
4715 */
4719 /* The remaining bytes in the current tvb might contain multiple
4720 * DCE/RPC fragments, so create a new tvb subset for this fragment.
4721 * Only limit the end of the fragment, but not the offset start,
4722 * as the authentication function dissect_dcerpc_cn_auth() will fail
4723 * (and other functions might fail as well) computing the right start
4724 * offset otherwise.
4725 */
4731 /*
4732 * Packet type specific stuff is next.
4733 */
4737 dissect_dcerpc_cn_bind(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr);
4742 dissect_dcerpc_cn_bind_ack(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr);
4746 /*
4747 * Nothing after the common header other than credentials.
4748 */
4749 dissect_dcerpc_cn_auth(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr, TRUE,
4754 dissect_dcerpc_cn_rqst(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, tree, &hdr);
4758 dissect_dcerpc_cn_resp(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, tree, &hdr);
4762 dissect_dcerpc_cn_fault(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr);
4766 dissect_dcerpc_cn_bind_nak(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr);
4771 /*
4772 * Nothing after the common header other than an authentication
4773 * verifier.
4774 */
4775 dissect_dcerpc_cn_auth(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr, FALSE,
4780 /*
4781 * Nothing after the common header, not even an authentication
4782 * verifier.
4783 */
4786 dissect_dcerpc_cn_rts(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr);
4790 /* might as well dissect the auth info */
4791 dissect_dcerpc_cn_auth(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr, FALSE,
4794 }
4796 }
4798 /*
4799 * DCERPC dissector for connection oriented calls over packet-oriented
4800 * transports
4801 */
4802 static gboolean
4804 {
4805 /*
4806 * Only one PDU per transport packet, and only one transport
4807 * packet per PDU.
4808 */
4811 /*
4812 * It wasn't a DCERPC PDU.
4813 */
4816 /*
4817 * It was.
4818 */
4820 }
4821 }
4823 /*
4824 * DCERPC dissector for connection oriented calls over byte-stream
4825 * transports.
4826 * we need to distinguish here between SMB and non-TCP (more in the future?)
4827 * to be able to know what kind of private_data structure to expect.
4828 */
4829 static gboolean
4831 {
4837 /*
4838 * There may be multiple PDUs per transport packet; keep
4839 * processing them.
4840 */
4842 TRY {
4846 dcerpc_pdus++;
4847 }
4849 /*
4850 * Somebody threw an exception that means that there
4851 * was a problem dissecting the payload; that means
4852 * that a dissector was found, so we don't need to
4853 * dissect the payload as data or update the protocol
4854 * or info columns.
4855 *
4856 * Just show the exception and then continue dissecting
4857 * PDUs.
4858 */
4860 /*
4861 * Presumably it looked enough like a DCE RPC PDU that we
4862 * dissected enough of it to throw an exception.
4863 */
4864 dcerpc_pdus++;
4871 /* look for a previous occurence of the DCE-RPC protocol */
4878 }
4880 }
4881 }
4884 /* It didn't look like DCE-RPC but we already had one DCE-RPC
4885 * layer in this packet and what we have is short. Assume that
4886 * it was just too short to tell and ask the TCP layer for more
4887 * data. */
4889 pinfo->desegment_len = (guint32)(sizeof(e_dce_cn_common_hdr_t) - tvb_length_remaining(tvb, offset));
4891 /* Really not DCE-RPC */
4893 }
4894 }
4896 /*
4897 * Well, we've seen at least one DCERPC PDU.
4898 */
4901 /* if we had more than one Req/Resp in this PDU change the protocol column */
4902 /* this will formerly contain the last interface name, which may not be the same for all Req/Resp */
4907 /*
4908 * Desegmentation required - bail now, but give the user a hint that desegmentation might be done later.
4909 */
4917 }
4919 /*
4920 * Step to the next PDU.
4921 */
4923 }
4925 }
4927 static gboolean
4929 {
4932 }
4934 static gboolean
4936 {
4939 }
4941 static gboolean
4943 {
4946 }
4950 static void
4953 {
4956 guint8 protection_level;
4958 /*
4959 * Initially set "*auth_level_p" to -1 to indicate that we haven't
4960 * yet seen any authentication level information.
4961 */
4965 /*
4966 * The authentication information is at the *end* of the PDU; in
4967 * request and response PDUs, the request and response stub data
4968 * come before it.
4969 *
4970 * If the full packet is here, and there's data past the end of the
4971 * packet body, then dissect the auth info.
4972 */
4983 proto_tree_add_uint(auth_tree, hf_dcerpc_krb5_av_prot_level, tvb, offset, 1, protection_level);
4984 offset++;
4985 proto_tree_add_item(auth_tree, hf_dcerpc_krb5_av_key_vers_num, tvb, offset, 1, ENC_BIG_ENDIAN);
4986 offset++;
4989 else
4992 /*offset += 16;*/
4998 }
4999 }
5000 }
5002 static void
5006 {
5007 guint32 version;
5016 /* The only version we know about */
5019 NULL);
5022 NULL);
5024 }
5025 }
5027 static void
5031 {
5032 guint32 version;
5041 /* The only version we know about */
5044 NULL);
5045 /* XXX - are NDR Booleans 32 bits? */
5047 /* XXX - the RPC reference in chapter: "the cancel PDU" doesn't mention
5048 the accepting_cancels field (it's only in the cancel_ack PDU)! */
5049 /*offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree,
5050 hdr->drep, hf_dcerpc_dg_server_accepting_cancels,
5051 NULL);*/
5053 }
5054 }
5056 static void
5060 {
5061 guint8 version;
5062 guint16 serial_num;
5063 guint16 selack_len;
5064 guint i;
5069 /* padding */
5070 offset++;
5078 NULL);
5081 NULL);
5084 NULL);
5089 serial_num);
5096 NULL);
5097 }
5100 }
5101 }
5103 static void
5107 {
5108 guint32 status;
5117 }
5119 static void
5123 {
5125 gboolean save_fragmented;
5144 /* If we don't have reassembly enabled, or this packet contains
5145 the entire PDU, or if this is a short frame (or a frame
5146 not reassembled at a lower layer) that doesn't include all
5147 the data in the fragment, just call the handoff directly if
5148 this is the first fragment or the PDU isn't fragmented. */
5154 /* First fragment, possibly the only fragment */
5156 /*
5157 * XXX - authentication info?
5158 */
5161 reported_length);
5165 /* PDU is fragmented and this isn't the first fragment */
5171 stub_length,
5173 }
5174 }
5175 }
5177 /* Reassembly is enabled, the PDU is fragmented, and
5178 we have all the data in the fragment; the first two
5179 of those mean we should attempt reassembly, and the
5180 third means we can attempt reassembly. */
5187 }
5188 }
5196 /* We completed reassembly... */
5198 /* ...and this is the reassembled RPC PDU */
5204 /*
5205 * XXX - authentication info?
5206 */
5211 /* ...and this isn't the reassembled RPC PDU */
5218 }
5221 }
5222 }
5223 }
5225 }
5227 static void
5231 {
5260 /* NDR64 is not available on dg transports ?*/
5265 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof(dcerpc_matched_key));
5269 }
5285 }
5300 }
5301 }
5303 }
5305 static void
5309 {
5319 dcerpc_dg_call_key call_key;
5326 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof (dcerpc_matched_key));
5332 }
5333 }
5334 }
5349 }
5358 nstime_t delta_ts;
5365 }
5371 }
5373 }
5375 static void
5379 {
5381 /* if (!(pinfo->fd->flags.visited)) {*/
5383 dcerpc_dg_call_key call_key;
5391 nstime_t delta_ts;
5399 }
5406 /* }*/
5407 }
5408 }
5410 /*
5411 * DCERPC dissector for connectionless calls
5412 */
5413 static gboolean
5415 {
5422 e_dce_dg_common_hdr_t hdr;
5429 /*
5430 * Check if this looks like a CL DCERPC call. All dg packets
5431 * have an 80 byte header on them. Which starts with
5432 * version (4), pkt_type.
5433 */
5436 }
5438 /* Version must be 4 */
5443 /* Type must be <= 19 or it's not DCE/RPC */
5448 /* flags1 has bit 1 and 8 as reserved so if any of them are set, it is
5449 probably not a DCE/RPC packet
5450 */
5455 /* flags2 has all bits except bit 2 as reserved so if any of them are set
5456 it is probably not DCE/RPC.
5457 */
5502 }
5503 }
5508 offset++;
5512 offset++;
5518 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_rsrvd_80, tvb, offset, 1, hdr.flags1);
5519 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_broadcast, tvb, offset, 1, hdr.flags1);
5520 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_idempotent, tvb, offset, 1, hdr.flags1);
5522 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_nofack, tvb, offset, 1, hdr.flags1);
5524 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_last_frag, tvb, offset, 1, hdr.flags1);
5525 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_rsrvd_01, tvb, offset, 1, hdr.flags1);
5534 }
5535 }
5536 }
5537 offset++;
5543 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_80, tvb, offset, 1, hdr.flags2);
5544 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_40, tvb, offset, 1, hdr.flags2);
5545 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_20, tvb, offset, 1, hdr.flags2);
5546 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_10, tvb, offset, 1, hdr.flags2);
5547 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_08, tvb, offset, 1, hdr.flags2);
5548 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_04, tvb, offset, 1, hdr.flags2);
5549 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_cancel_pending, tvb, offset, 1, hdr.flags2);
5550 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_01, tvb, offset, 1, hdr.flags2);
5554 }
5555 }
5556 }
5557 offset++;
5560 tf = proto_tree_add_bytes(dcerpc_tree, hf_dcerpc_drep, tvb, offset, sizeof (hdr.drep), hdr.drep);
5570 }
5571 }
5576 offset++;
5582 }
5594 }
5595 }
5602 }
5606 nstime_t server_boot;
5615 else
5618 }
5650 /* Fragmented - put the fragment number into the Info column */
5653 }
5658 offset++;
5663 /* Fragmented - put the serial number into the Info column */
5666 }
5667 offset++;
5670 /*
5671 * XXX - for Kerberos, we get a protection level; if it's
5672 * DCE_C_AUTHN_LEVEL_PKT_PRIVACY, we can't dissect the
5673 * stub data.
5674 */
5677 }
5679 /*
5680 * keeping track of the conversation shouldn't really be necessary
5681 * for connectionless packets, because everything we need to know
5682 * to dissect is in the header for each packet. Unfortunately,
5683 * Microsoft's implementation is buggy and often puts the
5684 * completely wrong if_id in the header. go figure. So, keep
5685 * track of the seqnum and use that if possible. Note: that's not
5686 * completely correct. It should really be done based on both the
5687 * activity_id and seqnum. I haven't seen anywhere that it would
5688 * make a difference, but for future reference...
5689 */
5692 /*
5693 * Packet type specific stuff is next.
5694 */
5699 /* Body is optional */
5700 /* XXX - we assume "frag_len" is the length of the body */
5706 /*
5707 * XXX - The DCE RPC 1.1 spec doesn't say the body is optional,
5708 * but in at least one capture none of the Cl_cancel PDUs had a
5709 * body.
5710 */
5711 /* XXX - we assume "frag_len" is the length of the body */
5717 /* Body is optional; if present, it's the same as PDU_FACK */
5718 /* XXX - we assume "frag_len" is the length of the body */
5724 /* Body is optional */
5725 /* XXX - we assume "frag_len" is the length of the body */
5743 /* these requests have no body */
5751 }
5754 }
5756 static void
5758 {
5759 /* structures and data for BIND */
5763 }
5766 }
5768 /* structures and data for CALL */
5771 }
5775 }
5778 /* structure and data for MATCHED */
5781 }
5784 /* call the registered hooks */
5786 }
5788 void
5790 {
5810 { "First Frag", "dcerpc.cn_flags.first_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_FIRST_FRAG, NULL, HFILL }},
5812 { "Last Frag", "dcerpc.cn_flags.last_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_LAST_FRAG, NULL, HFILL }},
5814 { "Cancel Pending", "dcerpc.cn_flags.cancel_pending", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_PENDING_CANCEL, NULL, HFILL }},
5816 { "Reserved", "dcerpc.cn_flags.reserved", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_RESERVED_1, NULL, HFILL }},
5818 { "Multiplex", "dcerpc.cn_flags.mpx", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_CONC_MPX, NULL, HFILL }},
5820 { "Did Not Execute", "dcerpc.cn_flags.dne", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_DID_NOT_EXECUTE, NULL, HFILL }},
5822 { "Maybe", "dcerpc.cn_flags.maybe", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_MAYBE, NULL, HFILL }},
5824 { "Object", "dcerpc.cn_flags.object", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_OBJECT_UUID, NULL, HFILL }},
5828 { "Byte order", "dcerpc.drep.byteorder", FT_UINT8, BASE_DEC, VALS(drep_byteorder_vals), 0x0, NULL, HFILL }},
5830 { "Character", "dcerpc.drep.character", FT_UINT8, BASE_DEC, VALS(drep_character_vals), 0x0, NULL, HFILL }},
5832 { "Floating-point", "dcerpc.drep.fp", FT_UINT8, BASE_DEC, VALS(drep_fp_vals), 0x0, NULL, HFILL }},
5852 { "Num Trans Items", "dcerpc.cn_num_trans_items", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5854 { "Abstract Syntax", "dcerpc.cn_bind_abstract_syntax", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
5860 { "Interface Ver Minor", "dcerpc.cn_bind_if_ver_minor", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5868 { "Security Context Multiplexing Supported", "dcerpc.cn_bind_trans_btfn.01", FT_BOOLEAN, 8, TFS(&tfs_set_notset), 0x01, NULL, HFILL }},
5870 { "Keep Connection On Orphan Supported", "dcerpc.cn_bind_trans_btfn.02", FT_BOOLEAN, 8, TFS(&tfs_set_notset), 0x02, NULL, HFILL }},
5880 { "Ack result", "dcerpc.cn_ack_result", FT_UINT16, BASE_DEC, VALS(p_cont_result_vals), 0x0, NULL, HFILL }},
5882 { "Ack reason", "dcerpc.cn_ack_reason", FT_UINT16, BASE_DEC, VALS(p_provider_reason_vals), 0x0, NULL, HFILL }},
5888 { "Bind Time Feature Negotiation Bitmask", "dcerpc.cn_ack_btfn", FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }},
5890 { "Reject reason", "dcerpc.cn_reject_reason", FT_UINT16, BASE_DEC, VALS(reject_reason_vals), 0x0, NULL, HFILL }},
5892 { "Number of protocols", "dcerpc.cn_num_protocols", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5894 { "Protocol major version", "dcerpc.cn_protocol_ver_major", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5896 { "Protocol minor version", "dcerpc.cn_protocol_ver_minor", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5900 { "Status", "dcerpc.cn_status", FT_UINT32, BASE_HEX, VALS(reject_status_vals), 0x0, NULL, HFILL }},
5902 { "Desegmentation Required", "dcerpc.cn_deseg_req", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5904 { "Auth type", "dcerpc.auth_type", FT_UINT8, BASE_DEC, VALS(authn_protocol_vals), 0x0, NULL, HFILL }},
5906 { "Auth level", "dcerpc.auth_level", FT_UINT8, BASE_DEC, VALS(authn_level_vals), 0x0, NULL, HFILL }},
5916 { "Reserved", "dcerpc.dg_flags1_rsrvd_01", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_RESERVED_01, NULL, HFILL }},
5918 { "Last Fragment", "dcerpc.dg_flags1_last_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_LASTFRAG, NULL, HFILL }},
5920 { "Fragment", "dcerpc.dg_flags1_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_FRAG, NULL, HFILL }},
5922 { "No Fack", "dcerpc.dg_flags1_nofack", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_NOFACK, NULL, HFILL }},
5924 { "Maybe", "dcerpc.dg_flags1_maybe", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_MAYBE, NULL, HFILL }},
5926 { "Idempotent", "dcerpc.dg_flags1_idempotent", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_IDEMPOTENT, NULL, HFILL }},
5928 { "Broadcast", "dcerpc.dg_flags1_broadcast", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_BROADCAST, NULL, HFILL }},
5930 { "Reserved", "dcerpc.dg_flags1_rsrvd_80", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_RESERVED_80, NULL, HFILL }},
5934 { "Reserved", "dcerpc.dg_flags2_rsrvd_01", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_01, NULL, HFILL }},
5936 { "Cancel Pending", "dcerpc.dg_flags2_cancel_pending", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_CANCEL_PENDING, NULL, HFILL }},
5938 { "Reserved", "dcerpc.dg_flags2_rsrvd_04", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_04, NULL, HFILL }},
5940 { "Reserved", "dcerpc.dg_flags2_rsrvd_08", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_08, NULL, HFILL }},
5942 { "Reserved", "dcerpc.dg_flags2_rsrvd_10", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_10, NULL, HFILL }},
5944 { "Reserved", "dcerpc.dg_flags2_rsrvd_20", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_20, NULL, HFILL }},
5946 { "Reserved", "dcerpc.dg_flags2_rsrvd_40", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_40, NULL, HFILL }},
5948 { "Reserved", "dcerpc.dg_flags2_rsrvd_80", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_80, NULL, HFILL }},
5962 { "Auth proto", "dcerpc.dg_auth_proto", FT_UINT8, BASE_DEC, VALS(authn_protocol_vals), 0x0, NULL, HFILL }},
5966 { "Server boot time", "dcerpc.dg_server_boot", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL }},
5970 { "Protection Level", "dcerpc.krb5_av.prot_level", FT_UINT8, BASE_DEC, VALS(authn_level_vals), 0x0, NULL, HFILL }},
5972 { "Key Version Number", "dcerpc.krb5_av.key_vers_num", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5974 { "Authentication Verifier", "dcerpc.krb5_av.auth_verifier", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},
5991 { "Server accepting cancels", "dcerpc.server_accepting_cancels", FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }},
6003 { "Max Frag Size", "dcerpc.fack_max_frag_size", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
6009 { "Selective ACK Len", "dcerpc.fack_selack_len", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
6015 { "Status", "dcerpc.dg_status", FT_UINT32, BASE_HEX, VALS(reject_status_vals), 0x0, NULL, HFILL }},
6018 { "Max Count", "dcerpc.array.max_count", FT_UINT32, BASE_DEC, NULL, 0x0, "Maximum Count: Number of elements in the array", HFILL }},
6021 { "Offset", "dcerpc.array.offset", FT_UINT32, BASE_DEC, NULL, 0x0, "Offset for first element in array", HFILL }},
6024 { "Actual Count", "dcerpc.array.actual_count", FT_UINT32, BASE_DEC, NULL, 0x0, "Actual Count: Actual number of elements in the array", HFILL }},
6027 { "Buffer", "dcerpc.array.buffer", FT_BYTES, BASE_NONE, NULL, 0x0, "Buffer: Buffer containing elements of the array", HFILL }},
6045 { "Conflicting data in fragment overlap", "dcerpc.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE,
6070 NULL, 0x0, "The DCE/RPC PDU is completely reassembled in the packet with this number", HFILL }},
6077 { "Unknown DCERPC interface id", "dcerpc.unknown_if_id", FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }},
6082 {"None", "dcerpc.cn_rts_flags.none", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_NONE, NULL, HFILL }},
6084 { "Ping", "dcerpc.cn_rts.flags.ping", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_PING, NULL, HFILL }},
6086 { "Other Cmd", "dcerpc.cn_rts_flags.other_cmd", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_OTHER_CMD, NULL, HFILL }},
6088 { "Recycle Channel", "dcerpc.cn_rts_flags.recycle_channel", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_RECYCLE_CHANNEL, NULL, HFILL }},
6090 { "In Channel", "dcerpc.cn_rts_flags.in_channel", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_IN_CHANNEL, NULL, HFILL }},
6092 { "Out Channel", "dcerpc.cn_rts_flags.out_channel", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_OUT_CHANNEL, NULL, HFILL }},
6094 { "EOF", "dcerpc.cn_rts_flags.eof", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_EOF, NULL, HFILL }},
6096 { "RTS Number of Commands", "dcerpc.cn_rts_commands_nb", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
6098 { "RTS Command", "dcerpc.cn_rts_command", FT_UINT32, BASE_HEX, VALS(rts_command_vals), 0x0, NULL, HFILL }},
6100 {"Receive Window Size", "dcerpc.cn_rts_command.receivewindowsize", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
6102 {"Bytes Received", "dcerpc.cn_rts_command.fack.bytesreceived", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
6104 {"Available Window", "dcerpc.cn_rts_command.fack.availablewindow", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
6106 {"Channel Cookie", "dcerpc.cn_rts_command.fack.channelcookie", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }},
6108 {"Connection Timeout", "dcerpc.cn_rts_command.connectiontimeout", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
6112 {"Channel Lifetime", "dcerpc.cn_rts_command.channellifetime", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
6114 {"Client Keepalive", "dcerpc.cn_rts_command.clientkeepalive", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
6118 {"Conformance Count", "dcerpc.cn_rts_command.padding.conformancecount", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
6120 { "Padding", "dcerpc.cn_rts_command.padding.padding", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL}},
6122 { "Address Type", "dcerpc.cn_rts_command.addrtype", FT_UINT32, BASE_DEC, VALS(rts_addresstype_vals), 0x0, NULL, HFILL }},
6124 {"Association Group ID", "dcerpc.cn_rts_command.associationgroupid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }},
6126 {"Forward Destination", "dcerpc.cn_rts_command.forwarddestination", FT_UINT32, BASE_DEC, VALS(rts_forward_destination_vals), 0x0, NULL, HFILL }},
6128 {"Ping Traffic Sent Notify", "dcerpc.cn_rts_command.pingtrafficsentnotify", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
6130 {"SEC_VT_COMMAND_END", "dcerpc.rpc_sec_vt.command.end", FT_BOOLEAN, 16, NULL, 0x4000, NULL, HFILL }},
6132 {"SEC_VT_MUST_PROCESS_COMMAND", "dcerpc.rpc_sec_vt.command.must_process", FT_BOOLEAN, 16, NULL, 0x8000, NULL, HFILL }},
6134 {"SEC_VT_COMMAND", "dcerpc.rpc_sec_vt.command.cmd", FT_UINT16, BASE_HEX, VALS(sec_vt_command_cmd_vals), 0x3fff, NULL, HFILL }},
6140 {"rpc_sec_vt_bitmask", "dcerpc.rpc_sec_vt.bitmask", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }},
6142 {"CLIENT_SUPPORT_HEADER_SIGNING", "dcerpc.rpc_sec_vt.bitmask.sign", FT_BOOLEAN, 32, NULL, 0x1, NULL, HFILL }},
6143 };
6165 };
6169 { &ei_dcerpc_fragment_reassembled, { "dcerpc.fragment_reassembled", PI_REASSEMBLE, PI_CHAT, "%s fragment, reassembled", EXPFILL }},
6170 { &ei_dcerpc_cn_ctx_id_no_bind, { "dcerpc.cn_ctx_id.no_bind", PI_UNDECODED, PI_NOTE, "No bind info for interface Context ID %u - capture start too late?", EXPFILL }},
6171 { &ei_dcerpc_no_request_found, { "dcerpc.no_request_found", PI_SEQUENCE, PI_NOTE, "No request to this DCE/RPC call found", EXPFILL }},
6172 { &ei_dcerpc_cn_status, { "dcerpc.cn_status.expert", PI_RESPONSE_CODE, PI_NOTE, "Fault: %s", EXPFILL }},
6173 { &ei_dcerpc_fragment_multiple, { "dcerpc.fragment_multiple", PI_SEQUENCE, PI_CHAT, "Multiple DCE/RPC fragments/PDU's in one packet", EXPFILL }},
6174 { &ei_dcerpc_context_change, { "dcerpc.context_change", PI_SEQUENCE, PI_CHAT, "Context change: %s", EXPFILL }},
6175 { &ei_dcerpc_bind_not_acknowledged, { "dcerpc.bind_not_acknowledged", PI_SEQUENCE, PI_WARN, "Bind not acknowledged", EXPFILL }},
6176 };
6181 proto_dcerpc = proto_register_protocol("Distributed Computing Environment / Remote Procedure Call (DCE/RPC)", "DCERPC", "dcerpc");
6192 "Whether the DCE/RPC dissector should reassemble messages"
6193 " spanning multiple TCP segments."
6194 " To use this option, you must also enable"
6207 }
6209 void
6211 {
6227 }
6229 /*
6230 * Editor modelines - http://www.wireshark.org/tools/modelines.html
6231 *
6232 * Local variables:
6233 * c-basic-offset: 4
6234 * tab-width: 8
6235 * indent-tabs-mode: nil
6236 * End:
6237 *
6238 * vi: set shiftwidth=4 tabstop=8 expandtab:
6239 * :indentSize=4:tabSize=8:noTabs=true:
6240 */