| blob | 1c3255635068c69b1985561fcd99be33d1aabd31 |
1 /* packet-dcerpc.c
2 * Routines for DCERPC packet disassembly
3 * Copyright 2001, Todd Sabin <tas[AT]webspan.net>
4 * Copyright 2003, Tim Potter <tpot[AT]samba.org>
5 * Copyright 2010, Julien Kerihuel <j.kerihuel[AT]openchange.org>
6 *
7 * $Id$
8 *
9 * Wireshark - Network traffic analyzer
10 * By Gerald Combs <gerald@wireshark.org>
11 * Copyright 1998 Gerald Combs
12 *
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 */
28 /* The DCE RPC specification can be found at:
29 * http://www.opengroup.org/dce/
30 */
34 #include <string.h>
36 #include <glib.h>
38 #include <epan/packet.h>
39 #include <epan/exceptions.h>
40 #include <epan/conversation.h>
41 #include <epan/prefs.h>
42 #include <epan/reassemble.h>
43 #include <epan/tap.h>
44 #include <epan/wmem/wmem.h>
45 #include <epan/expert.h>
46 #include <epan/strutil.h>
47 #include <epan/addr_resolv.h>
48 #include <epan/show_exception.h>
49 #include <epan/dissectors/packet-dcerpc.h>
50 #include <epan/dissectors/packet-dcerpc-nt.h>
54 /* 32bit Network Data Representation, see DCE/RPC Appendix I */
58 /* 64bit Network Data Representation, introduced in Windows Server 2008 */
62 /* Bind Time Feature Negotiation, see [MS-RPCE] 3.3.1.5.3 */
63 static e_uuid_t uuid_bind_time_feature_nego_00 = { 0x6cb71c2c, 0x9812, 0x4540, { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } };
64 static e_uuid_t uuid_bind_time_feature_nego_01 = { 0x6cb71c2c, 0x9812, 0x4540, { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } };
65 static e_uuid_t uuid_bind_time_feature_nego_02 = { 0x6cb71c2c, 0x9812, 0x4540, { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } };
66 static e_uuid_t uuid_bind_time_feature_nego_03 = { 0x6cb71c2c, 0x9812, 0x4540, { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } };
68 /* see [MS-OXRPC] Appendix A: Full IDL, http://msdn.microsoft.com/en-us/library/ee217991%28v=exchg.80%29.aspx */
95 };
101 };
107 };
109 #define DCE_RPC_DREP_FP_IEEE 0
110 #define DCE_RPC_DREP_FP_VAX 1
111 #define DCE_RPC_DREP_FP_CRAY 2
112 #define DCE_RPC_DREP_FP_IBM 3
120 };
122 /*
123 * Authentication services.
124 */
139 };
141 /*
142 * Protection levels.
143 */
152 };
154 /*
155 * Flag bits in first flag field in connectionless PDU header.
156 */
159 * fragment of a multi-PDU
160 * transmission */
162 a multi-PDU transmission */
164 * requested to send a `fack' PDU
165 * for the fragment */
167 * request */
169 * request */
171 * request */
174 /*
175 * Flag bits in second flag field in connectionless PDU header.
176 */
186 /*
187 * Flag bits in connection-oriented PDU header.
188 */
192 #define PFC_RESERVED_1 0x08
194 * of a single connection. */
196 * if true, guaranteed call did not
197 * execute. */
200 * was specified in the handle, and
201 * is present in the optional object
202 * field. If false, the object field
203 * is omitted. */
205 /*
206 * Tests whether a connection-oriented PDU is fragmented; returns TRUE if
207 * it's not fragmented (i.e., this is both the first *and* last fragment),
208 * and FALSE otherwise.
209 */
210 #define PFC_NOT_FRAGMENTED(hdr) \
211 ((hdr->flags&(PFC_FIRST_FRAG|PFC_LAST_FRAG)) == (PFC_FIRST_FRAG|PFC_LAST_FRAG))
213 /*
214 * Presentation context negotiation result.
215 */
222 };
224 /*
225 * Presentation context negotiation rejection reasons.
226 */
233 };
235 /*
236 * Reject reasons.
237 */
238 #define REASON_NOT_SPECIFIED 0
239 #define TEMPORARY_CONGESTION 1
240 #define LOCAL_LIMIT_EXCEEDED 2
242 #define PROTOCOL_VERSION_NOT_SUPPORTED 4
261 };
263 /*
264 * Reject status codes.
265 */
313 /* MS Windows specific values
314 * see: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes__1700-3999_.asp
315 * and: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/common_hresult_values.asp
316 * and: http://www.megos.ch/support/doserrors.txt
317 *
318 * XXX - we might need a way to dynamically add entries here, as higher layer protocols use these values too,
319 * at least MS protocols (like DCOM) do it that way ... */
349 };
352 /*
353 * RTS Flags
354 */
355 #define RTS_FLAG_NONE 0x0000
356 #define RTS_FLAG_PING 0x0001
357 #define RTS_FLAG_OTHER_CMD 0x0002
358 #define RTS_FLAG_RECYCLE_CHANNEL 0x0004
359 #define RTS_FLAG_IN_CHANNEL 0x0008
360 #define RTS_FLAG_OUT_CHANNEL 0x0010
361 #define RTS_FLAG_EOF 0x0020
362 #define RTS_FLAG_ECHO 0x0040
364 /*
365 * RTS Commands
366 */
368 #define RTS_CMD_RECEIVEWINDOWSIZE 0x0
369 #define RTS_CMD_FLOWCONTROLACK 0x1
370 #define RTS_CMD_CONNECTIONTIMEOUT 0x2
371 #define RTS_CMD_COOKIE 0x3
372 #define RTS_CMD_CHANNELLIFETIME 0x4
373 #define RTS_CMD_CLIENTKEEPALIVE 0x5
374 #define RTS_CMD_VERSION 0x6
375 #define RTS_CMD_EMPTY 0x7
376 #define RTS_CMD_PADDING 0x8
377 #define RTS_CMD_NEGATIVEANCE 0x9
378 #define RTS_CMD_ANCE 0xA
379 #define RTS_CMD_CLIENTADDRESS 0xB
380 #define RTS_CMD_ASSOCIATIONGROUPID 0xC
381 #define RTS_CMD_DESTINATION 0xD
382 #define RTS_CMD_PINGTRAFFICSENTNOTIFY 0xE
401 };
403 /*
404 * RTS client address type
405 */
406 #define RTS_IPV4 0
407 #define RTS_IPV6 1
413 };
415 /*
416 * RTS Forward destination
417 */
425 };
427 /* we need to keep track of what transport were used, ie what handle we came
428 * in through so we know what kind of pinfo->dce_smb_fid was passed to us.
429 */
430 /* Value of -1 is reserved for "not DCE packet" in packet_info.dcetransporttype. */
431 #define DCE_TRANSPORT_UNKNOWN 0
432 #define DCE_CN_TRANSPORT_SMBPIPE 1
437 /* field defines */
625 NULL,
627 /* Reassembled data field */
628 NULL,
629 "fragments"
630 };
632 /* list of hooks to be called when init_protocols is done */
633 GHookList dcerpc_hooks_init_protos;
637 {
641 di_counter++;
644 }
649 }
651 /* try to desegment big DCE/RPC packets over TCP? */
654 /* reassemble DCE/RPC fragments */
655 /* reassembly of cl dcerpc fragments will not work for the case where ONE frame
656 might contain multiple dcerpc fragments for different PDUs.
657 this case would be so unusual/weird so if you got captures like that:
658 too bad
660 reassembly of co dcerpc fragments will not work for the case where TCP/SMB frames
661 are coming in out of sequence, but that will hurt in a lot of other places as well.
662 */
668 address src;
669 address dst;
670 guint32 id;
671 e_uuid_t act_id;
674 static guint
676 {
678 guint hash_val;
688 }
690 static gint
692 {
696 /*key.id is the first item to compare since item is most
697 likely to differ between sessions, thus shortcircuiting
698 the comparison of addresses.
699 */
705 }
707 /* allocate a persistent dcerpc fragment key to insert in the hash */
711 {
721 }
723 /* allocate a persistent dcerpc fragment key to insert in the hash */
727 {
737 }
739 static void
741 {
746 }
748 static void
750 {
754 /*
755 * Free up the copies of the addresses from the old key.
756 */
761 }
762 }
765 dcerpc_fragment_hash,
766 dcerpc_fragment_equal,
767 dcerpc_fragment_temporary_key,
768 dcerpc_fragment_persistent_key,
769 dcerpc_fragment_free_temporary_key,
770 dcerpc_fragment_free_persistent_key
771 };
773 static void
775 {
776 /*
777 * XXX - addresses_ports_reassembly_table_functions?
778 * Or can a single connection-oriented DCE RPC session persist
779 * over multiple transport layer connections?
780 */
785 }
787 /*
788 * Authentication subdissectors. Used to dissect authentication blobs in
789 * DCERPC binds, requests and responses.
790 */
793 guint8 auth_level;
794 guint8 auth_type;
795 dcerpc_auth_subdissector_fns auth_fns;
802 {
803 gpointer data;
812 }
815 }
819 {
832 }
834 /* Hand off verifier data to a registered dissector */
841 {
843 /* XXX - "stub" a fake DCERPC INFO STRUCTURE
844 If a dcerpc_info is really needed, update
845 the call stacks to include it
846 */
847 FAKE_DCERPC_INFO_STRUCTURE
868 /* Don't know how to handle authentication data in this
869 pdu type. */
875 }
884 authn_protocol_vals,
886 }
887 }
889 /* Hand off payload data to a registered dissector */
895 gboolean is_request,
897 {
902 else
909 }
911 /*
912 * Subdissectors
913 */
915 /* the registered subdissectors */
918 static gint
920 {
925 }
927 static guint
929 {
931 /* This isn't perfect, but the Data1 part of these is almost always
932 unique. */
934 }
936 void
939 {
961 /* add this GUID to the global name resolving */
964 /* Register the samr.nt_password preference as obsolete */
965 /* This should be in packet-dcerpc-samr.c */
969 }
970 }
972 /* Function to find the name of a registered protocol
973 * or NULL if the protocol/version is not known to wireshark.
974 */
977 {
978 dcerpc_uuid_key key;
985 }
987 }
989 /* Function to find the opnum hf-field of a registered protocol
990 * or -1 if the protocol/version is not known to wireshark.
991 */
992 int
994 {
995 dcerpc_uuid_key key;
1002 }
1004 }
1006 /* Create a value_string consisting of DCERPC opnum and name from a
1007 subdissector array. */
1010 {
1015 again:
1021 num_sd++;
1022 }
1027 }
1033 }
1035 /* Function to find the subdissector table of a registered protocol
1036 * or NULL if the protocol/version is not known to wireshark.
1037 */
1038 dcerpc_sub_dissector *
1040 {
1041 dcerpc_uuid_key key;
1048 }
1050 }
1053 /*
1054 * To keep track of ctx_id mappings.
1055 *
1056 * Every time we see a bind call we update this table.
1057 * Note that we always specify a SMB FID. For non-SMB transports this
1058 * value is 0.
1059 */
1064 guint16 ctx_id;
1065 guint16 smb_fid;
1069 e_uuid_t uuid;
1070 guint16 ver;
1071 e_uuid_t transport;
1074 static gint
1076 {
1082 }
1084 static guint
1086 {
1088 guint hash;
1093 }
1095 /*
1096 * To keep track of callid mappings. Should really use some generic
1097 * conversation support instead.
1098 */
1104 guint32 call_id;
1105 guint16 smb_fid;
1110 guint32 seqnum;
1111 e_uuid_t act_id ;
1115 static gint
1117 {
1123 }
1125 static gint
1127 {
1133 }
1135 static guint
1137 {
1140 }
1142 static guint
1144 {
1152 }
1154 /* to keep track of matched calls/responses
1155 this one uses the same value struct as calls, but the key is the frame id
1156 and call id; there can be more than one call in a frame.
1158 XXX - why not just use the same keys as are used for calls?
1159 */
1164 guint32 frame;
1165 guint32 call_id;
1168 static gint
1170 {
1175 }
1177 static guint
1179 {
1182 }
1186 /*
1187 * Utility functions. Modeled after packet-rpc.c
1188 */
1190 int
1194 {
1195 guint8 data;
1200 }
1204 }
1206 int
1210 {
1211 guint16 data;
1219 }
1223 }
1225 int
1229 {
1230 guint32 data;
1238 }
1242 }
1244 /* handles 32 bit unix time_t */
1245 int
1249 {
1250 guint32 data;
1251 nstime_t tv;
1261 /* special case, no time specified */
1265 }
1266 }
1271 }
1273 int
1277 {
1278 guint64 data;
1287 /* This might be a field that is either 32bit, in NDR or
1288 64 bits in NDR64. So we must be careful and call the right
1289 helper here
1290 */
1303 }
1304 }
1308 }
1311 int
1315 {
1316 gfloat data;
1326 }
1332 /* ToBeDone: non IEEE floating formats */
1333 /* Set data to a negative infinity value */
1336 proto_tree_add_debug_text(tree, "DCE RPC: dissection of non IEEE floating formats currently not implemented (drep=%u)!", drep[1]);
1337 }
1338 }
1342 }
1345 int
1349 {
1350 gdouble data;
1360 }
1366 /* ToBeDone: non IEEE double formats */
1367 /* Set data to a negative infinity value */
1370 proto_tree_add_debug_text(tree, "DCE RPC: dissection of non IEEE double formats currently not implemented (drep=%u)!", drep[1]);
1371 }
1372 }
1376 }
1379 int
1383 {
1384 e_uuid_t uuid;
1391 }
1394 }
1397 }
1399 }
1402 /*
1403 * a couple simpler things
1404 */
1405 guint16
1407 {
1412 }
1413 }
1415 guint32
1417 {
1422 }
1423 }
1425 void
1427 {
1432 }
1433 }
1436 /* NDR arrays */
1437 /* function to dissect a unidimensional conformant array */
1438 int
1442 {
1443 guint32 i;
1449 }
1452 guint64 val;
1454 /* conformant run, just dissect the max_count header */
1464 /* we don't remember where in the bytestream this field was */
1465 proto_tree_add_uint(tree, hf_dcerpc_array_max_count, tvb, di->array_max_count_offset, conformance_size, di->array_max_count);
1467 /* real run, dissect the elements */
1470 }
1471 }
1474 }
1476 /* function to dissect a unidimensional conformant and varying array
1477 * depending on the dissection function passed as a parameter,
1478 * content of the array will be dissected as a block or byte by byte
1479 */
1480 static int
1485 {
1486 guint32 i;
1492 }
1495 guint64 val;
1497 /* conformant run, just dissect the max_count header */
1518 /* we don't remember where in the bytestream these fields were */
1519 proto_tree_add_uint(tree, hf_dcerpc_array_max_count, tvb, di->array_max_count_offset, conformance_size, di->array_max_count);
1520 proto_tree_add_uint(tree, hf_dcerpc_array_offset, tvb, di->array_offset_offset, conformance_size, di->array_offset);
1521 proto_tree_add_uint(tree, hf_dcerpc_array_actual_count, tvb, di->array_actual_count_offset, conformance_size, di->array_actual_count);
1523 /* real run, dissect the elements */
1532 }
1533 }
1534 }
1537 }
1539 int
1543 {
1545 }
1547 int
1551 {
1553 }
1554 /* function to dissect a unidimensional varying array */
1555 int
1559 {
1560 guint32 i;
1566 }
1569 guint64 val;
1571 /* conformant run, just dissect the max_count header */
1587 /* we don't remember where in the bytestream these fields were */
1588 proto_tree_add_uint(tree, hf_dcerpc_array_offset, tvb, di->array_offset_offset, conformance_size, di->array_offset);
1589 proto_tree_add_uint(tree, hf_dcerpc_array_actual_count, tvb, di->array_actual_count_offset, conformance_size, di->array_actual_count);
1591 /* real run, dissect the elements */
1594 }
1595 }
1598 }
1600 /* Dissect an string of bytes. This corresponds to
1601 IDL of the form '[string] byte *foo'.
1603 It can also be used for a conformant varying array of bytes if
1604 the contents of the array should be shown as a big blob, rather
1605 than showing each byte as an individual element.
1607 XXX - which of those is really the IDL type for, for example,
1608 the encrypted data in some MAPI packets? (Microsoft hasn't
1609 released that IDL.)
1611 XXX - does this need to do all the conformant array stuff that
1612 "dissect_ndr_ucvarray()" does? These are presumably for strings
1613 that are conformant and varying - they're stored like conformant
1614 varying arrays of bytes. */
1615 int
1618 {
1619 guint64 len;
1622 /* just a run to handle conformant arrays, no scalars to dissect */
1624 }
1626 /* NDR array header */
1642 }
1647 }
1649 /* For dissecting arrays that are to be interpreted as strings. */
1651 /* Dissect an NDR conformant varying string of elements.
1652 The length of each element is given by the 'size_is' parameter;
1653 the elements are assumed to be characters or wide characters.
1655 XXX - does this need to do all the conformant array stuff that
1656 "dissect_ndr_ucvarray()" does? */
1657 int
1661 {
1664 guint64 len;
1665 guint32 buffer_len;
1670 /* just a run to handle conformant arrays, no scalars to dissect */
1672 }
1681 }
1683 /* NDR array header */
1697 /* Adjust offset */
1702 /* XXX - use drep to determine the byte order? */
1703 /* XXX - once we have an ENC_ value for UTF-16, just use
1704 proto_tree_add_item() with the appropriate ENC_ value? */
1705 /* XXX - should this ever be used with something that's *not*
1706 an FT_STRING? */
1717 }
1718 }
1721 /*
1722 * "tvb_get_string()" throws an exception if the entire string
1723 * isn't in the tvbuff. If the length is bogus, this should
1724 * keep us from trying to allocate an immensely large buffer.
1725 * (It won't help if the length is *valid* but immensely large,
1726 * but that's another matter; in any case, that would happen only
1727 * if we had an immensely large tvbuff....)
1728 *
1729 * XXX - if this is an octet string, does the byte order
1730 * matter? Will this ever be anything *other* than an
1731 * octet string? What if size_is is neither 1 nor 2?
1732 */
1738 }
1751 }
1753 int
1757 {
1758 return dissect_ndr_cvstring(tvb, offset, pinfo, tree, di, drep, size_is, hfindex, add_subtree, data);
1759 }
1761 /* Dissect an conformant varying string of chars.
1762 This corresponds to IDL of the form '[string] char *foo'.
1764 XXX - at least according to the DCE RPC 1.1 spec, a string has
1765 a null terminator, which isn't necessary as a terminator for
1766 the transfer language (as there's a length), but is presumably
1767 there for the benefit of null-terminated-string languages
1768 such as C. Is this ever used for purely counted strings?
1769 (Not that it matters if it is.) */
1770 int
1773 {
1777 }
1779 /* Dissect a conformant varying string of wchars (wide characters).
1780 This corresponds to IDL of the form '[string] wchar *foo'
1782 XXX - at least according to the DCE RPC 1.1 spec, a string has
1783 a null terminator, which isn't necessary as a terminator for
1784 the transfer language (as there's a length), but is presumably
1785 there for the benefit of null-terminated-string languages
1786 such as C. Is this ever used for purely counted strings?
1787 (Not that it matters if it is.) */
1788 int
1791 {
1795 }
1797 /* This function is aimed for PIDL usage and dissects a UNIQUE pointer to
1798 * unicode string.
1799 */
1800 int
1801 PIDL_dissect_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int chsize, int hfindex, guint32 param)
1802 {
1811 /* Append string to COL_INFO */
1814 }
1815 /* Save string to dcv->private_data */
1820 }
1821 /* Append string to upper-level proto_items */
1825 levels--;
1829 levels--;
1833 levels--;
1834 }
1835 }
1836 }
1838 }
1841 }
1843 /* Dissect an NDR varying string of elements.
1844 The length of each element is given by the 'size_is' parameter;
1845 the elements are assumed to be characters or wide characters.
1846 */
1847 int
1851 {
1854 guint64 len;
1855 guint32 buffer_len;
1860 /* just a run to handle conformant arrays, no scalars to dissect */
1862 }
1871 }
1873 /* NDR array header */
1883 /* Adjust offset */
1888 /* XXX - use drep to determine the byte order? */
1889 /* XXX - once we have an ENC_ value for UTF-16, just use
1890 proto_tree_add_item() with the appropriate ENC_ value? */
1891 /* XXX - should this ever be used with something that's *not*
1892 an FT_STRING? */
1903 }
1904 }
1907 /*
1908 * "tvb_get_string()" throws an exception if the entire string
1909 * isn't in the tvbuff. If the length is bogus, this should
1910 * keep us from trying to allocate an immensely large buffer.
1911 * (It won't help if the length is *valid* but immensely large,
1912 * but that's another matter; in any case, that would happen only
1913 * if we had an immensely large tvbuff....)
1914 *
1915 * XXX - if this is an octet string, does the byte order
1916 * matter? Will this ever be anything *other* than an
1917 * octet string? What if size_is is neither 1 nor 2?
1918 */
1924 }
1937 }
1939 /* Dissect an varying string of chars.
1940 This corresponds to IDL of the form '[string] char *foo'.
1942 XXX - at least according to the DCE RPC 1.1 spec, a string has
1943 a null terminator, which isn't necessary as a terminator for
1944 the transfer language (as there's a length), but is presumably
1945 there for the benefit of null-terminated-string languages
1946 such as C. Is this ever used for purely counted strings?
1947 (Not that it matters if it is.) */
1948 int
1951 {
1955 }
1957 /* Dissect a varying string of wchars (wide characters).
1958 This corresponds to IDL of the form '[string] wchar *foo'
1960 XXX - at least according to the DCE RPC 1.1 spec, a string has
1961 a null terminator, which isn't necessary as a terminator for
1962 the transfer language (as there's a length), but is presumably
1963 there for the benefit of null-terminated-string languages
1964 such as C. Is this ever used for purely counted strings?
1965 (Not that it matters if it is.) */
1966 int
1969 {
1973 }
1976 /* ndr pointer handling */
1977 /* list of pointers encountered so far */
1980 /* position where in the list to insert newly encountered pointers */
1983 /* Boolean controlling whether pointers are top-level or embedded */
1986 /* as a kludge, we represent all embedded reference pointers as id == -1
1987 hoping that his will not collide with any non-ref pointers */
1989 guint32 id;
1998 void
2000 {
2007 }
2012 }
2014 int
2015 dissect_deferred_pointers(packet_info *pinfo, tvbuff_t *tvb, int offset, dcerpc_info *di, guint8 *drep)
2016 {
2039 /* first a run to handle any conformant
2040 array headers */
2047 /* This is to check for any bugs in the dissectors.
2048 *
2049 * Basically, the NDR representation will store all
2050 * arrays in two blocks, one block with the dimension
2051 * description, like size, number of elements and such,
2052 * and another block that contains the actual data stored
2053 * in the array.
2054 * If the array is embedded directly inside another,
2055 * encapsulating aggregate type, like a union or struct,
2056 * then these two blocks will be stored at different places
2057 * in the bytestream, with other data between the blocks.
2058 *
2059 * For this reason, all pointers to types (both aggregate
2060 * and scalar, for simplicity no distinction is made)
2061 * will have its dissector called twice.
2062 * The dissector will first be called with conformant_run == 1
2063 * in which mode the dissector MUST NOT consume any data from
2064 * the tvbuff (i.e. may not dissect anything) except the
2065 * initial control block for arrays.
2066 * The second time the dissector is called, with
2067 * conformant_run == 0, all other data for the type will be
2068 * dissected.
2069 *
2070 * All dissect_ndr_<type> dissectors are already prepared
2071 * for this and knows when it should eat data from the tvb
2072 * and when not to, so implementors of dissectors will
2073 * normally not need to worry about this or even know about
2074 * it. However, if a dissector for an aggregate type calls
2075 * a subdissector from outside packet-dcerpc.c, such as
2076 * the dissector in packet-smb.c for NT Security Descriptors
2077 * as an example, then it is VERY important to encapsulate
2078 * this call to an external subdissector with the appropriate
2079 * test for conformant_run, i.e. it will need something like
2080 *
2081 * dcerpc_info *di (received as function parameter)
2082 *
2083 * if (di->conformant_run) {
2084 * return offset;
2085 * }
2086 *
2087 * to make sure it makes the right thing.
2088 * This assert will signal when someone has forgotten to
2089 * make the dissector aware of this requirement.
2090 */
2092 /* now we dissect the actual pointer */
2097 tnpd->callback(pinfo, tnpd->tree, tnpd->item, di, tvb, old_offset, offset, tnpd->callback_args);
2100 }
2101 }
2105 }
2108 static void
2112 {
2115 /* check if this pointer is valid */
2125 }
2126 }
2128 /* if we haven't seen the request bail out since we cant
2129 know whether this is the first non-NULL instance
2130 or not */
2132 /* XXX THROW EXCEPTION */
2133 }
2135 /* We saw this one in the request frame, nothing to
2136 dissect later */
2139 }
2140 }
2141 }
2152 ndr_pointer_list_pos);
2153 ndr_pointer_list_pos++;
2154 }
2157 static int
2159 {
2169 }
2170 }
2171 }
2174 }
2176 /* This function dissects an NDR pointer and stores the callback for later
2177 * deferred dissection.
2178 *
2179 * fnct is the callback function for when we have reached this object in
2180 * the bytestream.
2181 *
2182 * type is what type of pointer.
2183 *
2184 * this is text is what text we should put in any created tree node.
2185 *
2186 * hf_index is what hf value we want to pass to the callback function when
2187 * it is called, the callback can later pick this one up from di->hf_index.
2188 *
2189 * callback is executed after the pointer has been dereferenced.
2190 *
2191 * callback_args is passed as an argument to the callback function
2192 *
2193 * See packet-dcerpc-samr.c for examples
2194 */
2195 int
2200 {
2206 /* this call was only for dissecting the header for any
2207 embedded conformant array. we will not parse any
2208 pointers in this mode.
2209 */
2211 }
2214 }
2217 /*TOP LEVEL REFERENCE POINTER*/
2222 /* we must find out a nice way to do the length here */
2230 }
2232 /*TOP LEVEL FULL POINTER*/
2236 guint64 id;
2239 /* get the referent id */
2243 /* we got a NULL pointer */
2246 pointer_size,
2249 }
2251 /* see if we have seen this pointer before */
2255 /* we have seen this pointer before */
2258 pointer_size,
2261 }
2263 /* new pointer */
2265 pointer_size,
2273 }
2274 /*TOP LEVEL UNIQUE POINTER*/
2277 guint64 id;
2280 /* get the referent id */
2284 /* we got a NULL pointer */
2287 pointer_size,
2290 }
2292 /* new pointer */
2295 pointer_size,
2303 }
2305 /*EMBEDDED REFERENCE POINTER*/
2308 guint64 id;
2311 /* get the referent id */
2315 /* new pointer */
2317 pointer_size,
2326 }
2328 /*EMBEDDED UNIQUE POINTER*/
2331 guint64 id;
2334 /* get the referent id */
2338 /* we got a NULL pointer */
2341 pointer_size,
2344 }
2346 /* new pointer */
2348 pointer_size,
2357 }
2359 /*EMBEDDED FULL POINTER*/
2363 guint64 id;
2366 /* get the referent id */
2370 /* we got a NULL pointer */
2373 pointer_size,
2376 }
2378 /* see if we have seen this pointer before */
2382 /* we have seen this pointer before */
2385 pointer_size,
2388 }
2390 /* new pointer */
2392 pointer_size,
2400 }
2403 after_ref_id:
2404 /* After each top level pointer we have dissected we have to
2405 dissect all deferrals before we move on to the next top level
2406 argument */
2411 }
2413 /* Set the length for the new subtree */
2416 }
2418 }
2420 int
2424 {
2428 }
2429 int
2433 {
2441 }
2442 int
2446 {
2454 }
2456 static void
2459 {
2461 guint auth_pad_offset;
2463 /*
2464 * We don't show stub data unless we have some in the tvbuff;
2465 * however, in the protocol tree, we show, as the number of
2466 * bytes, the reported number of bytes, not the number of bytes
2467 * that happen to be in the tvbuff.
2468 */
2473 /* if auth_pad_len is larger than length then we ignore auth_pad_len totally */
2478 }
2488 /* is the padding is still inside the encrypted blob, don't display it explicit */
2495 }
2501 }
2502 /* If there is auth padding at the end of the stub, display it */
2506 auth_pad_len,
2508 auth_pad_len,
2510 }
2511 }
2512 }
2514 static int
2520 {
2522 dcerpc_uuid_key key;
2542 /*
2543 * We don't have a dissector for this UUID, or the protocol
2544 * for that UUID is disabled.
2545 */
2555 FALSE);
2559 }
2565 }
2566 }
2574 else
2591 else
2593 }
2595 /*
2596 * Put the operation number into the tree along with
2597 * the operation's name.
2598 */
2605 else
2616 }
2621 }
2625 /* Either there was no encryption or we successfully decrypted
2626 the encrypted payload. */
2628 /* We have a subdissector - call it. */
2637 /*
2638 * Remove the authentication padding from the stub data.
2639 */
2642 /*
2643 * OK, the padding length isn't so big that it
2644 * exceeds the stub length. Trim the reported
2645 * length of the tvbuff.
2646 */
2649 /*
2650 * If that exceeds the actual amount of data in
2651 * the tvbuff (which means we have at least one
2652 * byte of authentication padding in the tvbuff),
2653 * trim the actual amount.
2654 */
2662 /*
2663 * The padding length exceeds the stub length.
2664 * Don't bother dissecting the stub, trim the padding
2665 * length to what's in the stub data, and show the
2666 * entire stub as authentication padding.
2667 */
2672 }
2674 /*
2675 * No authentication padding.
2676 */
2680 }
2684 }
2687 /*
2688 * Catch all exceptions other than BoundsError, so that even
2689 * if the stub data is bad, we still show the authentication
2690 * padding, if any.
2691 *
2692 * If we get BoundsError, it means the frame was cut short
2693 * by a snapshot length, so there's nothing more to
2694 * dissect; just re-throw that exception.
2695 */
2696 TRY {
2702 /* If we have a subdissector and it didn't dissect all
2703 data in the tvb, make a note of it. */
2707 remaining,
2709 remaining,
2713 remaining,
2716 }
2718 /*
2719 * Somebody threw an exception that means that there
2720 * was a problem dissecting the payload; that means
2721 * that a dissector was found, so we don't need to
2722 * dissect the payload as data or update the protocol
2723 * or info columns.
2724 *
2725 * Just show the exception and then drive on to show
2726 * the authentication padding.
2727 */
2730 }
2732 /* If there is auth padding at the end of the stub, display it */
2736 auth_pad_len,
2738 auth_pad_len,
2740 }
2744 /* No subdissector - show it as stub data. */
2749 }
2750 }
2756 }
2758 static int
2762 {
2780 /*
2781 * Catch all bounds-error exceptions, so that even if the
2782 * verifier is bad or we don't have all of it, we still
2783 * show the stub data.
2784 */
2785 TRY {
2795 }
2796 }
2799 }
2801 static void
2805 {
2808 /*
2809 * Initially set auth_level and auth_type to zero to indicate that we
2810 * haven't yet seen any authentication level information.
2811 */
2817 /*
2818 * The authentication information is at the *end* of the PDU; in
2819 * request and response PDUs, the request and response stub data
2820 * come before it.
2821 *
2822 * Is there any authentication data (i.e., is the authentication length
2823 * non-zero), and is the authentication length valid (i.e., is it, plus
2824 * 8 bytes for the type/level/pad length/reserved/context id, less than
2825 * or equal to the fragment length minus the starting offset of the
2826 * stub data?)
2827 */
2832 /*
2833 * Yes, there is authentication data, and the length is valid.
2834 * Do we have all the bytes of stub data?
2835 * (If not, we'd throw an exception dissecting *that*, so don't
2836 * bother trying to dissect the authentication information and
2837 * throwing another exception there.)
2838 */
2841 /*
2842 * Either there's no stub data, or the last byte of the stub
2843 * data is present in the captured data, so we shouldn't
2844 * get a BoundsError dissecting the stub data.
2845 *
2846 * Try dissecting the authentication data.
2847 * Catch all exceptions, so that even if the auth info is bad
2848 * or we don't have all of it, we still show the stuff we
2849 * dissect after this, such as stub data.
2850 */
2851 TRY {
2853 hf_dcerpc_auth_type,
2856 hf_dcerpc_auth_level,
2860 hf_dcerpc_auth_pad_len,
2867 /*
2868 * Dissect the authentication data.
2869 */
2882 else
2885 }
2887 /* Compute the size of the auth block. Note that this should not
2888 include auth padding, since when NTLMSSP encryption is used, the
2889 padding is actually inside the encrypted stub */
2894 }
2895 }
2896 }
2899 /* We need to hash in the SMB fid number to generate a unique hash table
2900 * key as DCERPC over SMB allows several pipes over the same TCP/IP
2901 * socket.
2902 * We pass this function the transport type here to make sure we only look
2903 * at this function if it came across an SMB pipe.
2904 * Other transports might need to mix in their own extra multiplexing data
2905 * as well in the future.
2906 */
2909 {
2912 /* DCERPC over smb */
2914 }
2916 /* Some other transport... */
2918 }
2920 /*
2921 * Connection oriented packet types
2922 */
2924 static void
2927 {
2930 guint i;
2931 guint16 ctx_id;
2932 guint8 num_trans_items;
2933 guint j;
2934 e_uuid_t if_id;
2935 e_uuid_t trans_id;
2936 guint32 trans_ver;
2938 dcerpc_auth_info auth_info;
2955 /* padding */
2968 /* save context ID for use with dcerpc_add_conv_to_bind_table() */
2969 /* (if we have multiple contexts, this might cause "decode as"
2970 * to behave unpredictably) */
2976 ENC_NA);
2978 }
2987 }
2989 /* padding */
2995 iface_item = proto_tree_add_item(ctx_tree, hf_dcerpc_cn_bind_abstract_syntax, tvb, offset, 0, ENC_NA);
3010 }
3011 }
3024 }
3029 }
3040 trans_item = proto_tree_add_item(ctx_tree, hf_dcerpc_cn_bind_trans_syntax, tvb, offset, 0, ENC_NA);
3047 uuid_item = proto_tree_add_guid_format(trans_tree, hf_dcerpc_cn_bind_trans_id, tvb, offset, 16, (e_guid_t *) &trans_id, "Transfer Syntax: %s UUID:%s", uuid_name, uuid_str);
3051 uuid_item = proto_tree_add_guid_format(trans_tree, hf_dcerpc_cn_bind_trans_id, tvb, offset, 16, (e_guid_t *) &trans_id, "Transfer Syntax: %s", uuid_str);
3054 }
3056 /* check for [MS-RPCE] 3.3.1.5.3 Bind Time Feature Negotiation */
3059 proto_tree_add_boolean(uuid_tree, hf_dcerpc_cn_bind_trans_btfn_01, tvb, offset+8, 1, trans_id.Data4[0]);
3060 proto_tree_add_boolean(uuid_tree, hf_dcerpc_cn_bind_trans_btfn_02, tvb, offset+8, 1, trans_id.Data4[0]);
3061 }
3062 }
3070 }
3071 }
3073 /* if this is the first time we've seen this packet, we need to
3074 update the dcerpc_binds table so that any later calls can
3075 match to the interface.
3076 XXX We assume that BINDs will NEVER be fragmented.
3077 */
3092 /* add this entry to the bind table */
3094 }
3104 }
3105 }
3107 /*
3108 * XXX - we should save the authentication type *if* we have
3109 * an authentication header, and associate it with an authentication
3110 * context, so subsequent PDUs can use that context.
3111 */
3113 }
3115 static void
3118 {
3120 guint16 sec_addr_len;
3121 guint8 num_results;
3122 guint i;
3125 e_uuid_t trans_id;
3126 guint32 trans_ver;
3127 dcerpc_auth_info auth_info;
3147 }
3151 }
3156 /* padding */
3169 }
3175 /* [MS-RPCE] 3.3.1.5.3 check if this Ctx Item is the response to a Bind Time Feature Negotiation request */
3178 offset = dissect_dcerpc_uint16(tvb, offset, pinfo, ctx_tree, hdr->drep, hf_dcerpc_cn_ack_btfn, &reason);
3186 /*
3187 * The reason for rejection isn't meaningful, and often isn't
3188 * set, when the syntax was accepted.
3189 */
3191 }
3200 }
3203 uuid_name);
3205 }
3214 }
3216 /*
3217 * XXX - do we need to do anything with the authentication level
3218 * we get back from this?
3219 */
3221 }
3223 static void
3226 {
3227 guint16 reason;
3228 guint8 num_protocols;
3229 guint i;
3240 hf_dcerpc_cn_num_protocols,
3246 NULL);
3249 NULL);
3250 }
3251 }
3252 }
3254 /* Return a string describing a DCE/RPC fragment as first, middle, or end
3255 fragment. */
3257 #define PFC_FRAG_MASK 0x03
3261 {
3266 "Single"
3267 };
3269 }
3271 /* Dissect stub data (payload) of a DCERPC packet. */
3273 static void
3278 guint32 frame)
3279 {
3281 gboolean save_fragmented;
3295 /* We don't even have enough bytes for the authentication
3296 stuff. */
3298 }
3305 /*don't bother if we don't have the entire tvb */
3306 /*XXX we should really make sure we calculate auth_info->auth_data
3307 and use that one instead of this auth_tvb hack
3308 */
3312 }
3313 }
3315 /* Decrypt the PDU if it is encrypted */
3319 /*
3320 * We know the authentication type, and the authentication
3321 * level is "Packet privacy", meaning the payload is
3322 * encrypted; attempt to decrypt it.
3323 */
3326 /* Start out assuming we won't succeed in decrypting. */
3328 /* Schannel needs information into the footer (verifier) in order to setup decryption keys
3329 * so we call it in order to have a chance to decipher the data
3330 */
3333 }
3355 /* We succeeded. */
3357 }
3358 }
3362 /* if this packet is not fragmented, just dissect it and exit */
3372 }
3374 /* The packet is fragmented. */
3377 /* debug output of essential fragment data. */
3378 /* leave it here for future debugging sessions */
3379 /*printf("DCE num:%u offset:%u frag_len:%u tvb_len:%u\n",
3380 pinfo->fd->num, offset, hdr->frag_len, tvb_length(decrypted_tvb));*/
3382 /* if we are not doing reassembly and this is the first fragment
3383 then just dissect it and exit
3384 XXX - if we're not doing reassembly, can we decrypt an
3385 encrypted stub?
3386 */
3393 expert_add_info_format(pinfo, NULL, &ei_dcerpc_fragment, "%s fragment", fragment_type(hdr->flags));
3397 }
3399 /* if we have already seen this packet, see if it was reassembled
3400 and if so dissect the full pdu.
3401 then exit
3402 */
3406 }
3408 /* if we are not doing reassembly and it was neither a complete PDU
3409 nor the first fragment then there is nothing more we can do
3410 so we just have to exit
3411 */
3415 /* if we didn't get 'frame' we don't know where the PDU started and thus
3416 it is pointless to continue
3417 */
3421 /* from now on we must attempt to reassemble the PDU
3422 */
3424 /* if we get here we know it is the first time we see the packet
3425 and we also know it is only a fragment and not a full PDU,
3426 thus we must reassemble it.
3427 */
3429 /* Do we have any non-encrypted data to reassemble? */
3431 /* No. We can't even try to reassemble. */
3433 }
3435 /* defragmentation is a bit tricky, as there's no offset of the fragment
3436 * in the protocol data.
3437 *
3438 * just use fragment_add_seq_next() and hope that TCP/SMB segments coming
3439 * in with the correct sequence.
3440 */
3446 end_cn_stub:
3448 /* if reassembly is complete and this is the last fragment
3449 * (multiple fragments in one PDU are possible!)
3450 * dissect the full PDU
3451 */
3464 /* the toplevel fragment subtree is now behind all desegmented data,
3465 * move it right behind the DCE/RPC tree */
3469 }
3473 expert_add_info_format(pinfo, frag_tree_item, &ei_dcerpc_fragment_reassembled, "%s fragment, reassembled", fragment_type(hdr->flags));
3485 }
3490 }
3493 expert_add_info_format(pinfo, NULL, &ei_dcerpc_fragment_reassembled, "%s fragment, reassembled in #%u", fragment_type(hdr->flags), fd_head->reassembled_in);
3494 }
3496 /* Reassembly not complete - some fragments
3497 are missing. Just show the stub data. */
3498 expert_add_info_format(pinfo, NULL, &ei_dcerpc_fragment, "%s fragment", fragment_type(hdr->flags));
3504 }
3505 }
3508 }
3510 /**
3511 * Registers a conversation/UUID binding association, so that
3512 * we can invoke the proper sub-dissector for a given DCERPC
3513 * conversation.
3514 *
3515 * @param binding all values needed to create and bind a new conversation
3516 *
3517 * @return Pointer to newly-added UUID/conversation binding.
3518 */
3521 {
3544 }
3549 /* For now, assume all DCE/RPC we pick from "decode as" is using
3550 standard ndr and not ndr64.
3551 We should make this selectable from the dialog in the future
3552 */
3560 /* add this entry to the bind table */
3565 }
3567 static void
3571 {
3573 guint16 ctx_id;
3574 guint16 opnum;
3576 dcerpc_auth_info auth_info;
3577 guint32 alloc_hint;
3589 }
3594 /* save context ID for use with dcerpc_add_conv_to_bind_table() */
3606 }
3608 }
3610 /*
3611 * XXX - what if this was set when the connection was set up,
3612 * and we just have a security context?
3613 */
3624 /* !!! we can NOT check flags.visited here since this will interact
3625 badly with when SMB handles (i.e. calls the subdissector)
3626 and desegmented pdu's .
3627 Instead we check if this pdu is already in the matched table or not
3628 */
3633 dcerpc_bind_key bind_key;
3642 dcerpc_cn_call_key call_key;
3649 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof (dcerpc_matched_key));
3653 }
3658 /* We found the binding and it is the first fragment
3659 (or a complete PDU) of a dcerpc pdu so just add
3660 the call to both the call table and the
3661 matched table
3662 */
3668 /* if there is already a matching call in the table
3669 remove it so it is replaced with the new one */
3672 }
3689 }
3693 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof (dcerpc_matched_key));
3697 }
3698 }
3699 }
3705 /* handoff this call */
3719 }
3720 }
3726 /* no bind information, simply show stub data */
3727 proto_tree_add_expert_format(dcerpc_tree, pinfo, &ei_dcerpc_cn_ctx_id_no_bind, tvb, offset, 0, "No bind info for interface Context ID %u - capture start too late?", ctx_id);
3729 }
3730 }
3732 /* Dissect the verifier */
3735 }
3737 static void
3741 {
3744 guint16 ctx_id;
3745 dcerpc_auth_info auth_info;
3746 guint32 alloc_hint;
3759 }
3761 /* save context ID for use with dcerpc_add_conv_to_bind_table() */
3768 /* padding */
3769 offset++;
3771 /*
3772 * XXX - what if this was set when the connection was set up,
3773 * and we just have a security context?
3774 */
3781 /* no point in creating one here, really */
3786 /* !!! we can NOT check flags.visited here since this will interact
3787 badly with when SMB handles (i.e. calls the subdissector)
3788 and desegmented pdu's .
3789 Instead we check if this pdu is already in the matched table or not
3790 */
3795 dcerpc_cn_call_key call_key;
3803 /* extra sanity check, only match them if the reply
3804 came after the request */
3806 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof (dcerpc_matched_key));
3812 }
3813 }
3814 }
3815 }
3821 /* handoff this call */
3830 /* (optional) "Object UUID" from request */
3836 }
3838 /* request in */
3840 nstime_t delta_ts;
3846 }
3852 }
3858 /* no bind information, simply show stub data */
3859 proto_tree_add_expert_format(dcerpc_tree, pinfo, &ei_dcerpc_cn_ctx_id_no_bind, tvb, offset, 0, "No bind info for interface Context ID %u - capture start too late?", ctx_id);
3861 }
3862 }
3864 /* Dissect the verifier */
3866 }
3868 static void
3871 {
3874 guint16 ctx_id;
3875 guint32 status;
3876 guint32 alloc_hint;
3877 dcerpc_auth_info auth_info;
3888 /* padding */
3889 offset++;
3891 #if 0
3894 #endif
3899 pi = proto_tree_add_item(dcerpc_tree, hf_dcerpc_cn_status, tvb, offset, 4, DREP_ENC_INTEGER(hdr->drep));
3902 expert_add_info_format(pinfo, pi, &ei_dcerpc_cn_status, "Fault: %s", val_to_str(status, reject_status_vals, "Unknown (0x%08x)"));
3904 /* save context ID for use with dcerpc_add_conv_to_bind_table() */
3912 /* padding */
3915 /*
3916 * XXX - what if this was set when the connection was set up,
3917 * and we just have a security context?
3918 */
3924 /* no point in creating one here, really */
3928 /* !!! we can NOT check flags.visited here since this will interact
3929 badly with when SMB handles (i.e. calls the subdissector)
3930 and desegmented pdu's .
3931 Instead we check if this pdu is already in the matched table or not
3932 */
3937 dcerpc_cn_call_key call_key;
3945 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof (dcerpc_matched_key));
3952 }
3954 }
3955 }
3963 /* handoff this call */
3972 nstime_t delta_ts;
3979 }
3985 }
3988 /* as we now create a tvb in dissect_dcerpc_cn() containing only the
3989 * stub_data, the following calculation is no longer valid:
3990 * stub_length = hdr->frag_len - offset - auth_info.auth_size;
3991 * simply use the remaining length of the tvb instead.
3992 * XXX - or better use the reported_length?!?
3993 */
3998 /* If we don't have reassembly enabled, or this packet contains
3999 the entire PDU, or if we don't have all the data in this
4000 fragment, just call the handoff directly if this is the
4001 first fragment or the PDU isn't fragmented. */
4005 /* First fragment, possibly the only fragment */
4006 /*
4007 * XXX - should there be a third routine for each
4008 * function in an RPC subdissector, to handle
4009 * fault responses? The DCE RPC 1.1 spec says
4010 * three's "stub data" here, which I infer means
4011 * that it's protocol-specific and call-specific.
4012 *
4013 * It should probably get passed the status code
4014 * as well, as that might be protocol-specific.
4015 */
4021 stub_length,
4023 }
4024 }
4026 /* PDU is fragmented and this isn't the first fragment */
4032 stub_length,
4034 }
4035 }
4036 }
4038 /* Reassembly is enabled, the PDU is fragmented, and
4039 we have all the data in the fragment; the first two
4040 of those mean we should attempt reassembly, and the
4041 third means we can attempt reassembly. */
4047 stub_length,
4049 }
4050 }
4056 stub_length,
4057 TRUE);
4058 }
4066 stub_length,
4067 TRUE);
4070 /* We completed reassembly */
4079 /*
4080 * XXX - should there be a third routine for each
4081 * function in an RPC subdissector, to handle
4082 * fault responses? The DCE RPC 1.1 spec says
4083 * three's "stub data" here, which I infer means
4084 * that it's protocol-specific and call-specific.
4085 *
4086 * It should probably get passed the status code
4087 * as well, as that might be protocol-specific.
4088 */
4094 stub_length,
4096 }
4097 }
4098 }
4099 }
4105 stub_length,
4106 TRUE);
4107 }
4108 }
4109 }
4110 }
4111 }
4112 }
4114 static void
4117 {
4121 guint16 rts_flags;
4124 guint32 i;
4127 /* Dissect specific RTS header */
4134 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_none, tvb, offset, 1, rts_flags);
4135 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_ping, tvb, offset, 1, rts_flags);
4136 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_other_cmd, tvb, offset, 1, rts_flags);
4137 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_recycle_channel, tvb, offset, 1, rts_flags);
4138 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_in_channel, tvb, offset, 1, rts_flags);
4139 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_out_channel, tvb, offset, 1, rts_flags);
4140 proto_tree_add_boolean(cn_rts_flags_tree, hf_dcerpc_cn_rts_flags_eof, tvb, offset, 1, rts_flags);
4141 }
4147 /* Create the RTS PDU tree - we do not yet know its name */
4148 tf = proto_tree_add_text(dcerpc_tree, tvb, offset, tvb_length_remaining(tvb, offset), "RTS PDU: %u commands", commands_nb);
4153 /* Dissect commands */
4163 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_receivewindowsize, NULL);
4166 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_fack_bytesreceived, NULL);
4167 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_fack_availablewindow, NULL);
4168 offset = dissect_dcerpc_uuid_t(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_fack_channelcookie, NULL);
4171 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_connectiontimeout, NULL);
4174 offset = dissect_dcerpc_uuid_t(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_cookie, NULL);
4177 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_channellifetime, NULL);
4180 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_clientkeepalive, NULL);
4183 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_version, NULL);
4190 proto_tree_add_uint(cn_rts_command_tree, hf_dcerpc_cn_rts_command_conformancecount, tvb, offset, 4, conformance_count);
4193 proto_tree_add_bytes(cn_rts_command_tree, hf_dcerpc_cn_rts_command_padding, tvb, offset, conformance_count, padding);
4203 proto_tree_add_uint(cn_rts_command_tree, hf_dcerpc_cn_rts_command_addrtype, tvb, offset, 4, addrtype);
4217 }
4219 proto_tree_add_bytes(cn_rts_command_tree, hf_dcerpc_cn_rts_command_padding, tvb, offset, 12, padding);
4223 offset = dissect_dcerpc_uuid_t(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_associationgroupid, NULL);
4226 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_forwarddestination, NULL);
4229 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, cn_rts_command_tree, hdr->drep, hf_dcerpc_cn_rts_command_pingtrafficsentnotify, NULL);
4234 }
4235 }
4239 /* Define which PDU Body we are dealing with */
4258 }
4265 }
4270 }
4277 }
4280 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x4) && (cmd[4] == 0x5) && (cmd[5] == 0xC)) {
4282 }
4286 }
4296 }
4300 }
4311 }
4316 }
4320 }
4327 }
4332 }
4335 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x3) && (cmd[4] == 0x0)) {
4337 }
4341 }
4346 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x3) && (cmd[4] == 0x0) && (cmd[5] == 0x2)) {
4348 }
4352 }
4356 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x0) && (cmd[4] == 0x2) && (cmd[5] == 0xC) && (cmd[6] == 0xB)) {
4358 }
4362 }
4366 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x3) && (cmd[4] == 0x4) && (cmd[5] == 0) && (cmd[6] == 0x2)) {
4368 }
4372 }
4379 }
4386 }
4389 if ((cmd[0] == 0x6) && (cmd[1] == 0x3) && (cmd[2] == 0x3) && (cmd[3] == 0x4) && (cmd[4] == 0x0)) {
4391 }
4395 }
4401 }
4405 }
4414 }
4418 }
4426 }
4427 }
4429 /*
4430 * DCERPC dissector for connection oriented calls.
4431 * We use transport type to later multiplex between what kind of
4432 * pinfo->private_data structure to expect.
4433 */
4434 static gboolean
4437 {
4447 e_dce_cn_common_hdr_t hdr;
4448 dcerpc_auth_info auth_info;
4451 /*
4452 * when done over nbt, dcerpc requests are padded with 4 bytes of null
4453 * data for some reason.
4454 *
4455 * XXX - if that's always the case, the right way to do this would
4456 * be to have a "dissect_dcerpc_cn_nb" routine which strips off
4457 * the 4 bytes of null padding, and make that the dissector
4458 * used for "netbios".
4459 */
4462 /*
4463 * Skip the padding.
4464 */
4467 }
4468 /*
4469 * Check if this looks like a C/O DCERPC call
4470 */
4473 }
4494 /*offset += 4;*/
4499 /* this is not the first DCE-RPC request/response in this (TCP?-)PDU,
4500 * prepend a delimiter */
4502 }
4510 }
4515 /* this is not the first DCE-RPC request/response in this (TCP?-)PDU,
4516 * append a delimiter and set a column fence */
4519 }
4524 /* this is not the first DCE-RPC request/response in this (TCP?-)PDU */
4526 }
4533 }
4536 offset++;
4539 offset++;
4542 offset++;
4547 expert_add_info_format(pinfo, tf, &ei_dcerpc_context_change, "Context change: %s", val_to_str(hdr.ptype, pckt_vals, "(0x%x)"));
4548 #endif
4559 }
4565 proto_tree_add_boolean(cn_flags_tree, hf_dcerpc_cn_flags_cancel_pending, tvb, offset, 1, hdr.flags);
4566 proto_tree_add_boolean(cn_flags_tree, hf_dcerpc_cn_flags_last_frag, tvb, offset, 1, hdr.flags);
4567 proto_tree_add_boolean(cn_flags_tree, hf_dcerpc_cn_flags_first_frag, tvb, offset, 1, hdr.flags);
4568 offset++;
4575 }
4592 }
4594 /*
4595 * None of the stuff done above should throw an exception, because
4596 * we would have rejected this as "not DCE RPC" if we didn't have all
4597 * of it. (XXX - perhaps we should request reassembly if we have
4598 * enough of the header to consider it DCE RPC but not enough to
4599 * get the fragment length; in that case the stuff still wouldn't
4600 * throw an exception.)
4601 *
4602 * The rest of the stuff might, so return the PDU length to our caller.
4603 * XXX - should we construct a tvbuff containing only the PDU and
4604 * use that? Or should we have separate "is this a DCE RPC PDU",
4605 * "how long is it", and "dissect it" routines - which might let us
4606 * do most of the work in "tcp_dissect_pdus()"?
4607 */
4611 /* The remaining bytes in the current tvb might contain multiple
4612 * DCE/RPC fragments, so create a new tvb subset for this fragment.
4613 * Only limit the end of the fragment, but not the offset start,
4614 * as the authentication function dissect_dcerpc_cn_auth() will fail
4615 * (and other functions might fail as well) computing the right start
4616 * offset otherwise.
4617 */
4623 /*
4624 * Packet type specific stuff is next.
4625 */
4629 dissect_dcerpc_cn_bind(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr);
4634 dissect_dcerpc_cn_bind_ack(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr);
4638 /*
4639 * Nothing after the common header other than credentials.
4640 */
4641 dissect_dcerpc_cn_auth(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr, TRUE,
4646 dissect_dcerpc_cn_rqst(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, tree, &hdr);
4650 dissect_dcerpc_cn_resp(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, tree, &hdr);
4654 dissect_dcerpc_cn_fault(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr);
4658 dissect_dcerpc_cn_bind_nak(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr);
4663 /*
4664 * Nothing after the common header other than an authentication
4665 * verifier.
4666 */
4667 dissect_dcerpc_cn_auth(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr, FALSE,
4672 /*
4673 * Nothing after the common header, not even an authentication
4674 * verifier.
4675 */
4678 dissect_dcerpc_cn_rts(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr);
4682 /* might as well dissect the auth info */
4683 dissect_dcerpc_cn_auth(fragment_tvb, MIN(offset - start_offset, subtvb_len), pinfo, dcerpc_tree, &hdr, FALSE,
4686 }
4688 }
4690 /*
4691 * DCERPC dissector for connection oriented calls over packet-oriented
4692 * transports
4693 */
4694 static gboolean
4696 {
4697 /*
4698 * Only one PDU per transport packet, and only one transport
4699 * packet per PDU.
4700 */
4703 /*
4704 * It wasn't a DCERPC PDU.
4705 */
4708 /*
4709 * It was.
4710 */
4712 }
4713 }
4715 /*
4716 * DCERPC dissector for connection oriented calls over byte-stream
4717 * transports.
4718 * we need to distinguish here between SMB and non-TCP (more in the future?)
4719 * to be able to know what kind of private_data structure to expect.
4720 */
4721 static gboolean
4723 {
4729 /*
4730 * There may be multiple PDUs per transport packet; keep
4731 * processing them.
4732 */
4734 TRY {
4738 dcerpc_pdus++;
4739 }
4741 /*
4742 * Somebody threw an exception that means that there
4743 * was a problem dissecting the payload; that means
4744 * that a dissector was found, so we don't need to
4745 * dissect the payload as data or update the protocol
4746 * or info columns.
4747 *
4748 * Just show the exception and then continue dissecting
4749 * PDUs.
4750 */
4752 /*
4753 * Presumably it looked enough like a DCE RPC PDU that we
4754 * dissected enough of it to throw an exception.
4755 */
4756 dcerpc_pdus++;
4763 /* look for a previous occurence of the DCE-RPC protocol */
4770 }
4772 }
4773 }
4776 /* It didn't look like DCE-RPC but we already had one DCE-RPC
4777 * layer in this packet and what we have is short. Assume that
4778 * it was just too short to tell and ask the TCP layer for more
4779 * data. */
4781 pinfo->desegment_len = (guint32)(sizeof(e_dce_cn_common_hdr_t) - tvb_length_remaining(tvb, offset));
4783 /* Really not DCE-RPC */
4785 }
4786 }
4788 /*
4789 * Well, we've seen at least one DCERPC PDU.
4790 */
4793 /* if we had more than one Req/Resp in this PDU change the protocol column */
4794 /* this will formerly contain the last interface name, which may not be the same for all Req/Resp */
4799 /*
4800 * Desegmentation required - bail now, but give the user a hint that desegmentation might be done later.
4801 */
4809 }
4811 /*
4812 * Step to the next PDU.
4813 */
4815 }
4817 }
4819 static gboolean
4821 {
4824 }
4826 static gboolean
4828 {
4831 }
4833 static gboolean
4835 {
4838 }
4842 static void
4845 {
4848 guint8 protection_level;
4850 /*
4851 * Initially set "*auth_level_p" to -1 to indicate that we haven't
4852 * yet seen any authentication level information.
4853 */
4857 /*
4858 * The authentication information is at the *end* of the PDU; in
4859 * request and response PDUs, the request and response stub data
4860 * come before it.
4861 *
4862 * If the full packet is here, and there's data past the end of the
4863 * packet body, then dissect the auth info.
4864 */
4875 proto_tree_add_uint(auth_tree, hf_dcerpc_krb5_av_prot_level, tvb, offset, 1, protection_level);
4876 offset++;
4877 proto_tree_add_item(auth_tree, hf_dcerpc_krb5_av_key_vers_num, tvb, offset, 1, ENC_BIG_ENDIAN);
4878 offset++;
4881 else
4884 /*offset += 16;*/
4890 }
4891 }
4892 }
4894 static void
4898 {
4899 guint32 version;
4908 /* The only version we know about */
4911 NULL);
4914 NULL);
4916 }
4917 }
4919 static void
4923 {
4924 guint32 version;
4933 /* The only version we know about */
4936 NULL);
4937 /* XXX - are NDR Booleans 32 bits? */
4939 /* XXX - the RPC reference in chapter: "the cancel PDU" doesn't mention
4940 the accepting_cancels field (it's only in the cancel_ack PDU)! */
4941 /*offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree,
4942 hdr->drep, hf_dcerpc_dg_server_accepting_cancels,
4943 NULL);*/
4945 }
4946 }
4948 static void
4952 {
4953 guint8 version;
4954 guint16 serial_num;
4955 guint16 selack_len;
4956 guint i;
4961 /* padding */
4962 offset++;
4970 NULL);
4973 NULL);
4976 NULL);
4981 serial_num);
4988 NULL);
4989 }
4992 }
4993 }
4995 static void
4999 {
5000 guint32 status;
5009 }
5011 static void
5015 {
5017 gboolean save_fragmented;
5036 /* If we don't have reassembly enabled, or this packet contains
5037 the entire PDU, or if this is a short frame (or a frame
5038 not reassembled at a lower layer) that doesn't include all
5039 the data in the fragment, just call the handoff directly if
5040 this is the first fragment or the PDU isn't fragmented. */
5046 /* First fragment, possibly the only fragment */
5048 /*
5049 * XXX - authentication info?
5050 */
5053 reported_length);
5057 /* PDU is fragmented and this isn't the first fragment */
5063 stub_length,
5065 }
5066 }
5067 }
5069 /* Reassembly is enabled, the PDU is fragmented, and
5070 we have all the data in the fragment; the first two
5071 of those mean we should attempt reassembly, and the
5072 third means we can attempt reassembly. */
5079 }
5080 }
5088 /* We completed reassembly... */
5090 /* ...and this is the reassembled RPC PDU */
5096 /*
5097 * XXX - authentication info?
5098 */
5103 /* ...and this isn't the reassembled RPC PDU */
5110 }
5113 }
5114 }
5115 }
5117 }
5119 static void
5123 {
5152 /* NDR64 is not available on dg transports ?*/
5157 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof(dcerpc_matched_key));
5161 }
5177 }
5192 }
5193 }
5195 }
5197 static void
5201 {
5211 dcerpc_dg_call_key call_key;
5218 new_matched_key = (dcerpc_matched_key *)wmem_alloc(wmem_file_scope(), sizeof (dcerpc_matched_key));
5224 }
5225 }
5226 }
5241 }
5250 nstime_t delta_ts;
5257 }
5263 }
5265 }
5267 static void
5271 {
5273 /* if (!(pinfo->fd->flags.visited)) {*/
5275 dcerpc_dg_call_key call_key;
5283 nstime_t delta_ts;
5291 }
5298 /* }*/
5299 }
5300 }
5302 /*
5303 * DCERPC dissector for connectionless calls
5304 */
5305 static gboolean
5307 {
5314 e_dce_dg_common_hdr_t hdr;
5321 /*
5322 * Check if this looks like a CL DCERPC call. All dg packets
5323 * have an 80 byte header on them. Which starts with
5324 * version (4), pkt_type.
5325 */
5328 }
5330 /* Version must be 4 */
5335 /* Type must be <= 19 or it's not DCE/RPC */
5340 /* flags1 has bit 1 and 8 as reserved so if any of them are set, it is
5341 probably not a DCE/RPC packet
5342 */
5347 /* flags2 has all bits except bit 2 as reserved so if any of them are set
5348 it is probably not DCE/RPC.
5349 */
5394 }
5395 }
5400 offset++;
5404 offset++;
5410 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_rsrvd_80, tvb, offset, 1, hdr.flags1);
5411 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_broadcast, tvb, offset, 1, hdr.flags1);
5412 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_idempotent, tvb, offset, 1, hdr.flags1);
5414 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_nofack, tvb, offset, 1, hdr.flags1);
5416 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_last_frag, tvb, offset, 1, hdr.flags1);
5417 proto_tree_add_boolean(dg_flags1_tree, hf_dcerpc_dg_flags1_rsrvd_01, tvb, offset, 1, hdr.flags1);
5426 }
5427 }
5428 }
5429 offset++;
5435 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_80, tvb, offset, 1, hdr.flags2);
5436 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_40, tvb, offset, 1, hdr.flags2);
5437 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_20, tvb, offset, 1, hdr.flags2);
5438 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_10, tvb, offset, 1, hdr.flags2);
5439 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_08, tvb, offset, 1, hdr.flags2);
5440 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_04, tvb, offset, 1, hdr.flags2);
5441 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_cancel_pending, tvb, offset, 1, hdr.flags2);
5442 proto_tree_add_boolean(dg_flags2_tree, hf_dcerpc_dg_flags2_rsrvd_01, tvb, offset, 1, hdr.flags2);
5446 }
5447 }
5448 }
5449 offset++;
5452 tf = proto_tree_add_bytes(dcerpc_tree, hf_dcerpc_drep, tvb, offset, sizeof (hdr.drep), hdr.drep);
5462 }
5463 }
5468 offset++;
5474 }
5486 }
5487 }
5494 }
5498 nstime_t server_boot;
5507 else
5510 }
5542 /* Fragmented - put the fragment number into the Info column */
5545 }
5550 offset++;
5555 /* Fragmented - put the serial number into the Info column */
5558 }
5559 offset++;
5562 /*
5563 * XXX - for Kerberos, we get a protection level; if it's
5564 * DCE_C_AUTHN_LEVEL_PKT_PRIVACY, we can't dissect the
5565 * stub data.
5566 */
5569 }
5571 /*
5572 * keeping track of the conversation shouldn't really be necessary
5573 * for connectionless packets, because everything we need to know
5574 * to dissect is in the header for each packet. Unfortunately,
5575 * Microsoft's implementation is buggy and often puts the
5576 * completely wrong if_id in the header. go figure. So, keep
5577 * track of the seqnum and use that if possible. Note: that's not
5578 * completely correct. It should really be done based on both the
5579 * activity_id and seqnum. I haven't seen anywhere that it would
5580 * make a difference, but for future reference...
5581 */
5584 /*
5585 * Packet type specific stuff is next.
5586 */
5591 /* Body is optional */
5592 /* XXX - we assume "frag_len" is the length of the body */
5598 /*
5599 * XXX - The DCE RPC 1.1 spec doesn't say the body is optional,
5600 * but in at least one capture none of the Cl_cancel PDUs had a
5601 * body.
5602 */
5603 /* XXX - we assume "frag_len" is the length of the body */
5609 /* Body is optional; if present, it's the same as PDU_FACK */
5610 /* XXX - we assume "frag_len" is the length of the body */
5616 /* Body is optional */
5617 /* XXX - we assume "frag_len" is the length of the body */
5635 /* these requests have no body */
5643 }
5646 }
5648 static void
5650 {
5651 /* structures and data for BIND */
5655 }
5658 }
5660 /* structures and data for CALL */
5663 }
5667 }
5670 /* structure and data for MATCHED */
5673 }
5676 /* call the registered hooks */
5678 }
5680 void
5682 {
5702 { "First Frag", "dcerpc.cn_flags.first_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_FIRST_FRAG, NULL, HFILL }},
5704 { "Last Frag", "dcerpc.cn_flags.last_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_LAST_FRAG, NULL, HFILL }},
5706 { "Cancel Pending", "dcerpc.cn_flags.cancel_pending", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_PENDING_CANCEL, NULL, HFILL }},
5708 { "Reserved", "dcerpc.cn_flags.reserved", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_RESERVED_1, NULL, HFILL }},
5710 { "Multiplex", "dcerpc.cn_flags.mpx", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_CONC_MPX, NULL, HFILL }},
5712 { "Did Not Execute", "dcerpc.cn_flags.dne", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_DID_NOT_EXECUTE, NULL, HFILL }},
5714 { "Maybe", "dcerpc.cn_flags.maybe", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_MAYBE, NULL, HFILL }},
5716 { "Object", "dcerpc.cn_flags.object", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFC_OBJECT_UUID, NULL, HFILL }},
5720 { "Byte order", "dcerpc.drep.byteorder", FT_UINT8, BASE_DEC, VALS(drep_byteorder_vals), 0x0, NULL, HFILL }},
5722 { "Character", "dcerpc.drep.character", FT_UINT8, BASE_DEC, VALS(drep_character_vals), 0x0, NULL, HFILL }},
5724 { "Floating-point", "dcerpc.drep.fp", FT_UINT8, BASE_DEC, VALS(drep_fp_vals), 0x0, NULL, HFILL }},
5744 { "Num Trans Items", "dcerpc.cn_num_trans_items", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5746 { "Abstract Syntax", "dcerpc.cn_bind_abstract_syntax", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
5752 { "Interface Ver Minor", "dcerpc.cn_bind_if_ver_minor", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5760 { "Security Context Multiplexing Supported", "dcerpc.cn_bind_trans_btfn.01", FT_BOOLEAN, 8, TFS(&tfs_set_notset), 0x01, NULL, HFILL }},
5762 { "Keep Connection On Orphan Supported", "dcerpc.cn_bind_trans_btfn.02", FT_BOOLEAN, 8, TFS(&tfs_set_notset), 0x02, NULL, HFILL }},
5772 { "Ack result", "dcerpc.cn_ack_result", FT_UINT16, BASE_DEC, VALS(p_cont_result_vals), 0x0, NULL, HFILL }},
5774 { "Ack reason", "dcerpc.cn_ack_reason", FT_UINT16, BASE_DEC, VALS(p_provider_reason_vals), 0x0, NULL, HFILL }},
5780 { "Bind Time Feature Negotiation Bitmask", "dcerpc.cn_ack_btfn", FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }},
5782 { "Reject reason", "dcerpc.cn_reject_reason", FT_UINT16, BASE_DEC, VALS(reject_reason_vals), 0x0, NULL, HFILL }},
5784 { "Number of protocols", "dcerpc.cn_num_protocols", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5786 { "Protocol major version", "dcerpc.cn_protocol_ver_major", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5788 { "Protocol minor version", "dcerpc.cn_protocol_ver_minor", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5792 { "Status", "dcerpc.cn_status", FT_UINT32, BASE_HEX, VALS(reject_status_vals), 0x0, NULL, HFILL }},
5794 { "Desegmentation Required", "dcerpc.cn_deseg_req", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5796 { "Auth type", "dcerpc.auth_type", FT_UINT8, BASE_DEC, VALS(authn_protocol_vals), 0x0, NULL, HFILL }},
5798 { "Auth level", "dcerpc.auth_level", FT_UINT8, BASE_DEC, VALS(authn_level_vals), 0x0, NULL, HFILL }},
5808 { "Reserved", "dcerpc.dg_flags1_rsrvd_01", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_RESERVED_01, NULL, HFILL }},
5810 { "Last Fragment", "dcerpc.dg_flags1_last_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_LASTFRAG, NULL, HFILL }},
5812 { "Fragment", "dcerpc.dg_flags1_frag", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_FRAG, NULL, HFILL }},
5814 { "No Fack", "dcerpc.dg_flags1_nofack", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_NOFACK, NULL, HFILL }},
5816 { "Maybe", "dcerpc.dg_flags1_maybe", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_MAYBE, NULL, HFILL }},
5818 { "Idempotent", "dcerpc.dg_flags1_idempotent", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_IDEMPOTENT, NULL, HFILL }},
5820 { "Broadcast", "dcerpc.dg_flags1_broadcast", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_BROADCAST, NULL, HFILL }},
5822 { "Reserved", "dcerpc.dg_flags1_rsrvd_80", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL1_RESERVED_80, NULL, HFILL }},
5826 { "Reserved", "dcerpc.dg_flags2_rsrvd_01", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_01, NULL, HFILL }},
5828 { "Cancel Pending", "dcerpc.dg_flags2_cancel_pending", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_CANCEL_PENDING, NULL, HFILL }},
5830 { "Reserved", "dcerpc.dg_flags2_rsrvd_04", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_04, NULL, HFILL }},
5832 { "Reserved", "dcerpc.dg_flags2_rsrvd_08", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_08, NULL, HFILL }},
5834 { "Reserved", "dcerpc.dg_flags2_rsrvd_10", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_10, NULL, HFILL }},
5836 { "Reserved", "dcerpc.dg_flags2_rsrvd_20", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_20, NULL, HFILL }},
5838 { "Reserved", "dcerpc.dg_flags2_rsrvd_40", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_40, NULL, HFILL }},
5840 { "Reserved", "dcerpc.dg_flags2_rsrvd_80", FT_BOOLEAN, 8, TFS(&tfs_set_notset), PFCL2_RESERVED_80, NULL, HFILL }},
5854 { "Auth proto", "dcerpc.dg_auth_proto", FT_UINT8, BASE_DEC, VALS(authn_protocol_vals), 0x0, NULL, HFILL }},
5858 { "Server boot time", "dcerpc.dg_server_boot", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL }},
5862 { "Protection Level", "dcerpc.krb5_av.prot_level", FT_UINT8, BASE_DEC, VALS(authn_level_vals), 0x0, NULL, HFILL }},
5864 { "Key Version Number", "dcerpc.krb5_av.key_vers_num", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5866 { "Authentication Verifier", "dcerpc.krb5_av.auth_verifier", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},
5883 { "Server accepting cancels", "dcerpc.server_accepting_cancels", FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }},
5895 { "Max Frag Size", "dcerpc.fack_max_frag_size", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5901 { "Selective ACK Len", "dcerpc.fack_selack_len", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5907 { "Status", "dcerpc.dg_status", FT_UINT32, BASE_HEX, VALS(reject_status_vals), 0x0, NULL, HFILL }},
5910 { "Max Count", "dcerpc.array.max_count", FT_UINT32, BASE_DEC, NULL, 0x0, "Maximum Count: Number of elements in the array", HFILL }},
5913 { "Offset", "dcerpc.array.offset", FT_UINT32, BASE_DEC, NULL, 0x0, "Offset for first element in array", HFILL }},
5916 { "Actual Count", "dcerpc.array.actual_count", FT_UINT32, BASE_DEC, NULL, 0x0, "Actual Count: Actual number of elements in the array", HFILL }},
5919 { "Buffer", "dcerpc.array.buffer", FT_BYTES, BASE_NONE, NULL, 0x0, "Buffer: Buffer containing elements of the array", HFILL }},
5937 { "Conflicting data in fragment overlap", "dcerpc.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE,
5962 NULL, 0x0, "The DCE/RPC PDU is completely reassembled in the packet with this number", HFILL }},
5969 { "Unknown DCERPC interface id", "dcerpc.unknown_if_id", FT_BOOLEAN, BASE_NONE, NULL, 0x0, NULL, HFILL }},
5974 {"None", "dcerpc.cn_rts_flags.none", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_NONE, NULL, HFILL }},
5976 { "Ping", "dcerpc.cn_rts.flags.ping", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_PING, NULL, HFILL }},
5978 { "Other Cmd", "dcerpc.cn_rts_flags.other_cmd", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_OTHER_CMD, NULL, HFILL }},
5980 { "Recycle Channel", "dcerpc.cn_rts_flags.recycle_channel", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_RECYCLE_CHANNEL, NULL, HFILL }},
5982 { "In Channel", "dcerpc.cn_rts_flags.in_channel", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_IN_CHANNEL, NULL, HFILL }},
5984 { "Out Channel", "dcerpc.cn_rts_flags.out_channel", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_OUT_CHANNEL, NULL, HFILL }},
5986 { "EOF", "dcerpc.cn_rts_flags.eof", FT_BOOLEAN, 8, TFS(&tfs_set_notset), RTS_FLAG_EOF, NULL, HFILL }},
5988 { "RTS Number of Commands", "dcerpc.cn_rts_commands_nb", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
5990 { "RTS Command", "dcerpc.cn_rts_command", FT_UINT32, BASE_HEX, VALS(rts_command_vals), 0x0, NULL, HFILL }},
5992 {"Receive Window Size", "dcerpc.cn_rts_command.receivewindowsize", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
5994 {"Bytes Received", "dcerpc.cn_rts_command.fack.bytesreceived", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
5996 {"Available Window", "dcerpc.cn_rts_command.fack.availablewindow", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
5998 {"Channel Cookie", "dcerpc.cn_rts_command.fack.channelcookie", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }},
6000 {"Connection Timeout", "dcerpc.cn_rts_command.connectiontimeout", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
6004 {"Channel Lifetime", "dcerpc.cn_rts_command.channellifetime", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
6006 {"Client Keepalive", "dcerpc.cn_rts_command.clientkeepalive", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
6010 {"Conformance Count", "dcerpc.cn_rts_command.padding.conformancecount", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
6012 { "Padding", "dcerpc.cn_rts_command.padding.padding", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL}},
6014 { "Address Type", "dcerpc.cn_rts_command.addrtype", FT_UINT32, BASE_DEC, VALS(rts_addresstype_vals), 0x0, NULL, HFILL }},
6016 {"Association Group ID", "dcerpc.cn_rts_command.associationgroupid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }},
6018 {"Forward Destination", "dcerpc.cn_rts_command.forwarddestination", FT_UINT32, BASE_DEC, VALS(rts_forward_destination_vals), 0x0, NULL, HFILL }},
6020 {"Ping Traffic Sent Notify", "dcerpc.cn_rts_command.pingtrafficsentnotify", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }},
6021 };
6040 };
6044 { &ei_dcerpc_fragment_reassembled, { "dcerpc.fragment_reassembled", PI_REASSEMBLE, PI_CHAT, "%s fragment, reassembled", EXPFILL }},
6045 { &ei_dcerpc_cn_ctx_id_no_bind, { "dcerpc.cn_ctx_id.no_bind", PI_UNDECODED, PI_NOTE, "No bind info for interface Context ID %u - capture start too late?", EXPFILL }},
6046 { &ei_dcerpc_no_request_found, { "dcerpc.no_request_found", PI_SEQUENCE, PI_NOTE, "No request to this DCE/RPC call found", EXPFILL }},
6047 { &ei_dcerpc_cn_status, { "dcerpc.cn_status.expert", PI_RESPONSE_CODE, PI_NOTE, "Fault: %s", EXPFILL }},
6048 { &ei_dcerpc_fragment_multiple, { "dcerpc.fragment_multiple", PI_SEQUENCE, PI_CHAT, "Multiple DCE/RPC fragments/PDU's in one packet", EXPFILL }},
6049 { &ei_dcerpc_context_change, { "dcerpc.context_change", PI_SEQUENCE, PI_CHAT, "Context change: %s", EXPFILL }},
6050 { &ei_dcerpc_bind_not_acknowledged, { "dcerpc.bind_not_acknowledged", PI_SEQUENCE, PI_WARN, "Bind not acknowledged", EXPFILL }},
6051 };
6056 proto_dcerpc = proto_register_protocol("Distributed Computing Environment / Remote Procedure Call (DCE/RPC)", "DCERPC", "dcerpc");
6067 "Whether the DCE/RPC dissector should reassemble messages"
6068 " spanning multiple TCP segments."
6069 " To use this option, you must also enable"
6082 }
6084 void
6086 {
6102 }
6104 /*
6105 * Editor modelines - http://www.wireshark.org/tools/modelines.html
6106 *
6107 * Local variables:
6108 * c-basic-offset: 4
6109 * tab-width: 8
6110 * indent-tabs-mode: nil
6111 * End:
6112 *
6113 * vi: set shiftwidth=4 tabstop=8 expandtab:
6114 * :indentSize=4:tabSize=8:noTabs=true:
6115 */