2 * Routines for DCOM OXID Resolver
3 * Copyright 2001, Todd Sabin <tas@webspan.net>
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 /* see packet-dcom.c for details about DCOM */
35 #include <epan/packet.h>
36 #include "packet-dcerpc.h"
37 #include "packet-dcom.h"
39 static int proto_oxid = -1;
41 static int hf_oxid_opnum = -1;
42 static int hf_oxid_setid = -1;
43 static int hf_oxid_seqnum = -1;
44 static int hf_oxid_addtoset = -1;
45 static int hf_oxid_delfromset = -1;
46 static int hf_oxid_oid = -1;
47 static int hf_oxid_ping_backoff_factor = -1;
48 static int hf_oxid_oxid = -1;
49 static int hf_oxid_requested_protseqs = -1;
50 static int hf_oxid_protseqs = -1;
51 static int hf_oxid_bindings = -1;
52 static int hf_oxid_ipid = -1;
53 static int hf_oxid_authn_hint = -1;
55 static int hf_oxid_Unknown1 = -1;
56 static int hf_oxid_Unknown2 = -1;
57 static int hf_oxid_ds_array = -1;
60 static gint ett_oxid = -1;
62 static e_uuid_t uuid_oxid = { 0x99fcfec4, 0x5260, 0x101b, { 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a } };
63 static guint16 ver_oxid = 0;
67 dissect_oxid_simple_ping_rqst(tvbuff_t *tvb, int offset,
68 packet_info *pinfo, proto_tree *tree, guint8 *drep)
70 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
78 dissect_oxid_simple_ping_resp(tvbuff_t *tvb, int offset,
79 packet_info *pinfo, proto_tree *tree, guint8 *drep)
84 offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
87 if (check_col(pinfo->cinfo, COL_INFO)) {
88 col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s",
89 val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") );
97 dissect_oxid_server_alive_resp(tvbuff_t *tvb, int offset,
98 packet_info *pinfo, proto_tree *tree, guint8 *drep)
103 offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
106 if (check_col(pinfo->cinfo, COL_INFO)) {
107 col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s",
108 val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") );
116 dissect_oxid_complex_ping_rqst(tvbuff_t *tvb, int offset,
117 packet_info *pinfo, proto_tree *tree, guint8 *drep)
121 guint16 u16DelFromSet;
123 guint32 u32ArraySize;
125 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
126 hf_oxid_setid, NULL);
128 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
129 hf_oxid_seqnum, &u16SeqNum);
130 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
131 hf_oxid_addtoset, &u16AddToSet);
132 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
133 hf_oxid_delfromset, &u16DelFromSet);
135 if (check_col(pinfo->cinfo, COL_INFO)) {
136 col_append_fstr(pinfo->cinfo, COL_INFO, " AddToSet=%u DelFromSet=%u",
137 u16AddToSet, u16DelFromSet);
140 offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
143 offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep,
146 while (u16AddToSet--) {
147 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
152 offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
155 offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep,
158 while (u16DelFromSet--) {
159 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
169 dissect_oxid_complex_ping_resp(tvbuff_t *tvb, int offset,
170 packet_info *pinfo, proto_tree *tree, guint8 *drep)
172 guint16 u16PingBackoffFactor;
176 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
177 hf_oxid_setid, NULL);
178 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
179 hf_oxid_ping_backoff_factor, &u16PingBackoffFactor);
181 offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
184 if (check_col(pinfo->cinfo, COL_INFO)) {
185 col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s",
186 val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") );
194 dissect_oxid_resolve_oxid2_rqst(tvbuff_t *tvb, int offset,
195 packet_info *pinfo, proto_tree *tree, guint8 *drep)
198 guint32 u32ArraySize;
202 offset = dissect_dcom_ID(tvb, offset, pinfo, tree, drep,
205 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
206 hf_oxid_requested_protseqs, &u16ProtSeqs);
208 offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep,
212 while (u32ArraySize--) {
213 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, drep,
214 hf_oxid_protseqs, &u16ProtSeqs);
223 dissect_oxid_resolve_oxid2_resp(tvbuff_t *tvb, int offset,
224 packet_info *pinfo, proto_tree *tree, guint8 *drep)
227 guint32 u32ArraySize;
229 guint32 u32AuthnHint;
230 guint16 u16VersionMajor;
231 guint16 u16VersionMinor;
235 offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep,
238 offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep,
241 offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, drep,
242 hf_oxid_bindings, NULL);
244 offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, drep,
245 hf_oxid_ipid, &ipid);
247 offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep,
248 hf_oxid_authn_hint, &u32AuthnHint);
250 offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, tree, drep,
251 &u16VersionMajor, &u16VersionMinor);
254 offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep,
257 if (check_col(pinfo->cinfo, COL_INFO)) {
258 col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s",
259 val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") );
267 dissect_oxid_server_alive2_resp(tvbuff_t *tvb, int offset, packet_info *pinfo,
268 proto_tree *tree, guint8 *drep) {
269 guint16 u16VersionMajor;
270 guint16 u16VersionMinor;
272 offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, tree, drep, &u16VersionMajor, &u16VersionMinor);
274 /* XXX - understand what those 8 bytes mean! don't skip'em!*/
275 dissect_dcerpc_uint64(tvb , offset, pinfo, tree, drep, hf_oxid_Unknown1, NULL);
278 offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, drep, hf_oxid_ds_array, NULL);
280 /* unknown field 2 */
281 dissect_dcerpc_uint64(tvb, offset, pinfo, tree, drep, hf_oxid_Unknown2, NULL);
287 /* XXX - some dissectors still need to be done */
288 static dcerpc_sub_dissector oxid_dissectors[] = {
289 { 0, "ResolveOxid", NULL, NULL },
290 { 1, "SimplePing", dissect_oxid_simple_ping_rqst, dissect_oxid_simple_ping_resp },
291 { 2, "ComplexPing", dissect_oxid_complex_ping_rqst, dissect_oxid_complex_ping_resp },
292 { 3, "ServerAlive", NULL /* no input parameters */, dissect_oxid_server_alive_resp },
293 { 4, "ResolveOxid2", dissect_oxid_resolve_oxid2_rqst, dissect_oxid_resolve_oxid2_resp },
294 { 5, "ServerAlive2", NULL, dissect_oxid_server_alive2_resp },
295 { 0, NULL, NULL, NULL },
300 proto_register_oxid (void)
302 static hf_register_info hf[] = {
304 { "Operation", "oxid.opnum", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
307 { "SetId", "oxid_setid", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }},
309 { "SeqNum", "oxid_seqnum", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
311 { "AddToSet", "oxid_addtoset", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
312 { &hf_oxid_delfromset,
313 { "DelFromSet", "oxid_delfromset", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
315 { "OID", "oxid_oid", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }},
316 { &hf_oxid_ping_backoff_factor,
317 { "PingBackoffFactor", "oxid_ping_backoff_factor", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
319 { "OXID", "oxid_oxid", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }},
321 { &hf_oxid_requested_protseqs,
322 { "RequestedProtSeq", "oxid_requested_protseqs", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
324 { "ProtSeq", "oxid_protseqs", FT_UINT16, BASE_DEC, VALS(dcom_protseq_vals), 0x0, NULL, HFILL }},
327 { "OxidBindings", "oxid_bindings", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
329 { "IPID", "oxid_ipid", FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }},
330 { &hf_oxid_authn_hint,
331 { "AuthnHint", "oxid_authn_hint", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
334 { "Address", "dcom.oxid.address", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
336 { "unknown 8 bytes 1", "oxid5.unknown1", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }},
338 { "unknown 8 bytes 2", "oxid5.unknown2", FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }}
340 static gint *ett[] = {
343 proto_oxid = proto_register_protocol ("DCOM OXID Resolver", "IOXIDResolver", "oxid");
344 proto_register_field_array (proto_oxid, hf, array_length (hf));
345 proto_register_subtree_array (ett, array_length (ett));
349 proto_reg_handoff_oxid (void)
351 /* Register the protocol as dcerpc */
352 dcerpc_init_uuid (proto_oxid, ett_oxid, &uuid_oxid, ver_oxid, oxid_dissectors, hf_oxid_opnum);