2 * Routines for DCOM OXID Resolver
3 * Copyright 2001, Todd Sabin <tas@webspan.net>
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 /* see packet-dcom.c for details about DCOM */
33 #include <epan/packet.h>
34 #include "packet-dcerpc.h"
35 #include "packet-dcom.h"
37 static int proto_oxid = -1;
39 static int hf_oxid_opnum = -1;
40 static int hf_oxid_setid = -1;
41 static int hf_oxid_seqnum = -1;
42 static int hf_oxid_addtoset = -1;
43 static int hf_oxid_delfromset = -1;
44 static int hf_oxid_oid = -1;
45 static int hf_oxid_ping_backoff_factor = -1;
46 static int hf_oxid_oxid = -1;
47 static int hf_oxid_requested_protseqs = -1;
48 static int hf_oxid_protseqs = -1;
49 static int hf_oxid_bindings = -1;
50 static int hf_oxid_ipid = -1;
51 static int hf_oxid_authn_hint = -1;
53 static int hf_oxid_Unknown1 = -1;
54 static int hf_oxid_Unknown2 = -1;
55 static int hf_oxid_ds_array = -1;
58 static gint ett_oxid = -1;
60 static e_uuid_t uuid_oxid = { 0x99fcfec4, 0x5260, 0x101b, { 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a } };
61 static guint16 ver_oxid = 0;
65 dissect_oxid_simple_ping_rqst(tvbuff_t *tvb, int offset,
66 packet_info *pinfo, proto_tree *tree, guint8 *drep)
68 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
76 dissect_oxid_simple_ping_resp(tvbuff_t *tvb, int offset,
77 packet_info *pinfo, proto_tree *tree, guint8 *drep)
82 offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
85 col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s",
86 val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") );
93 dissect_oxid_server_alive_resp(tvbuff_t *tvb, int offset,
94 packet_info *pinfo, proto_tree *tree, guint8 *drep)
99 offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
102 col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s",
103 val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") );
110 dissect_oxid_complex_ping_rqst(tvbuff_t *tvb, int offset,
111 packet_info *pinfo, proto_tree *tree, guint8 *drep)
115 guint16 u16DelFromSet;
117 guint32 u32ArraySize;
119 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
120 hf_oxid_setid, NULL);
122 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
123 hf_oxid_seqnum, &u16SeqNum);
124 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
125 hf_oxid_addtoset, &u16AddToSet);
126 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
127 hf_oxid_delfromset, &u16DelFromSet);
129 col_append_fstr(pinfo->cinfo, COL_INFO, " AddToSet=%u DelFromSet=%u",
130 u16AddToSet, u16DelFromSet);
132 offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
135 offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep,
138 while (u16AddToSet--) {
139 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
144 offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
147 offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep,
150 while (u16DelFromSet--) {
151 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
161 dissect_oxid_complex_ping_resp(tvbuff_t *tvb, int offset,
162 packet_info *pinfo, proto_tree *tree, guint8 *drep)
164 guint16 u16PingBackoffFactor;
168 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
169 hf_oxid_setid, NULL);
170 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
171 hf_oxid_ping_backoff_factor, &u16PingBackoffFactor);
173 offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
176 col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s",
177 val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") );
184 dissect_oxid_resolve_oxid2_rqst(tvbuff_t *tvb, int offset,
185 packet_info *pinfo, proto_tree *tree, guint8 *drep)
188 guint32 u32ArraySize;
192 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
195 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
196 hf_oxid_requested_protseqs, &u16ProtSeqs);
198 offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep,
202 while (u32ArraySize--) {
203 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
204 hf_oxid_protseqs, &u16ProtSeqs);
213 dissect_oxid_resolve_oxid2_resp(tvbuff_t *tvb, int offset,
214 packet_info *pinfo, proto_tree *tree, guint8 *drep)
217 guint32 u32ArraySize;
219 guint32 u32AuthnHint;
220 guint16 u16VersionMajor;
221 guint16 u16VersionMinor;
225 offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
228 offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep,
231 offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, drep,
232 hf_oxid_bindings, NULL);
234 offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep,
235 hf_oxid_ipid, &ipid);
237 offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep,
238 hf_oxid_authn_hint, &u32AuthnHint);
240 offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, tree, drep,
241 &u16VersionMajor, &u16VersionMinor);
244 offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
247 col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s",
248 val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") );
255 dissect_oxid_server_alive2_resp(tvbuff_t *tvb, int offset, packet_info *pinfo,
256 proto_tree *tree, guint8 *drep) {
257 guint16 u16VersionMajor;
258 guint16 u16VersionMinor;
260 offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, tree, drep, &u16VersionMajor, &u16VersionMinor);
262 /* XXX - understand what those 8 bytes mean! don't skip'em!*/
263 dissect_dcerpc_uint64(tvb , offset, pinfo, tree, drep, hf_oxid_Unknown1, NULL);
266 offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, drep, hf_oxid_ds_array, NULL);
268 /* unknown field 2 */
269 dissect_dcerpc_uint64(tvb, offset, pinfo, tree, drep, hf_oxid_Unknown2, NULL);
275 /* XXX - some dissectors still need to be done */
276 static dcerpc_sub_dissector oxid_dissectors[] = {
277 { 0, "ResolveOxid", NULL, NULL },
278 { 1, "SimplePing", dissect_oxid_simple_ping_rqst, dissect_oxid_simple_ping_resp },
279 { 2, "ComplexPing", dissect_oxid_complex_ping_rqst, dissect_oxid_complex_ping_resp },
280 { 3, "ServerAlive", NULL /* no input parameters */, dissect_oxid_server_alive_resp },
281 { 4, "ResolveOxid2", dissect_oxid_resolve_oxid2_rqst, dissect_oxid_resolve_oxid2_resp },
282 { 5, "ServerAlive2", NULL, dissect_oxid_server_alive2_resp },
283 { 0, NULL, NULL, NULL },
288 proto_register_oxid (void)
290 static hf_register_info hf[] = {
292 { "Operation", "oxid.opnum", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
295 { "SetId", "oxid.setid", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }},
297 { "SeqNum", "oxid.seqnum", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
299 { "AddToSet", "oxid.addtoset", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
300 { &hf_oxid_delfromset,
301 { "DelFromSet", "oxid.delfromset", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
303 { "OID", "oxid.oid", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }},
304 { &hf_oxid_ping_backoff_factor,
305 { "PingBackoffFactor", "oxid.ping_backoff_factor", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
307 { "OXID", "oxid.oxid", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }},
309 { &hf_oxid_requested_protseqs,
310 { "RequestedProtSeq", "oxid.requested_protseqs", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
312 { "ProtSeq", "oxid.protseqs", FT_UINT16, BASE_DEC, VALS(dcom_protseq_vals), 0x0, NULL, HFILL }},
315 { "OxidBindings", "oxid.bindings", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
317 { "IPID", "oxid.ipid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }},
318 { &hf_oxid_authn_hint,
319 { "AuthnHint", "oxid.authn_hint", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
322 { "Address", "dcom.oxid.address", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
324 { "unknown 8 bytes 1", "oxid.unknown1", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }},
326 { "unknown 8 bytes 2", "oxid.unknown2", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }}
328 static gint *ett[] = {
331 proto_oxid = proto_register_protocol ("DCOM OXID Resolver", "IOXIDResolver", "oxid");
332 proto_register_field_array (proto_oxid, hf, array_length (hf));
333 proto_register_subtree_array (ett, array_length (ett));
337 proto_reg_handoff_oxid (void)
339 /* Register the protocol as dcerpc */
340 dcerpc_init_uuid (proto_oxid, ett_oxid, &uuid_oxid, ver_oxid, oxid_dissectors, hf_oxid_opnum);