1 /* packet-dcerpc-oxid.c
2 * Routines for DCOM OXID Resolver
3 * Copyright 2001, Todd Sabin <tas@webspan.net>
5 * $Id: packet-dcerpc-oxid.c,v 1.11 2004/01/19 20:10:35 jmayer Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
33 #include <epan/packet.h>
34 #include "packet-dcerpc.h"
35 #include "packet-dcerpc-dcom.h"
36 #include "packet-smb-common.h"
38 static int proto_oxid = -1;
40 static int hf_opnum = -1;
41 static int hf_COMVERSION_MjrVer = -1;
42 static int hf_COMVERSION_MnrVer = -1;
43 static int hf_wNumEntries = -1;
44 static int hf_wSecurityOffset = -1;
45 static int hf_wTowerId = -1;
46 static int hf_aNetworkAddr = -1;
47 static int hf_wAuthnSvc = -1;
48 static int hf_wAuthzSvc = -1;
49 static int hf_aPrinceName = -1;
50 static int hf_Unknown1 = -1;
51 static int hf_Unknown2 = -1;
53 static gint ett_oxid = -1;
55 static e_uuid_t uuid_oxid = { 0x99fcfec4, 0x5260, 0x101b, { 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a } };
56 static guint16 ver_oxid = 0;
59 authz_val2str(unsigned short authz) {
62 return "RPC_C_AUTHZ_NONE";
65 return "RPC_C_AUTHZ_NAME";
68 return "RPC_C_AUTHZ_DCE";
80 authn_val2str(unsigned short authn) {
83 return "RPC_C_AUTHN_NONE";
86 return "RPC_C_AUTHN_DCE_PRIVATE";
89 return "RPC_C_AUTHN_DCE_PUBLIC";
92 return "RPC_C_AUTHN_DEC_PUBLIC";
95 return "RPC_C_AUTHN_GSS_NEGOTIATE";
98 return "RPC_C_AUTH_WINNT";
101 return "RPC_C_AUTHN_GSS_SCHANNEL";
104 return "RPC_C_AUTHN_GSS_KERBEROS";
107 return "RPC_C_AUTHN_MSN";
110 return "RPC_C_AUTHN_DPA";
113 return "RPC_C_AUTHN_MQ";
116 return "RPC_C_AUTHN_DEFAULT";
125 towerid_val2str(unsigned short tower) {
128 return "NCACN_DNET_NSP";
131 return "NCACN_IP_TCP";
134 return "NCADG_IP_UDP";
141 return "NCACN_NB_IPX";
147 return "NCACN_NB_NB";
159 oxid_server_alive2_dissect_rply(tvbuff_t *tvb, int offset, packet_info *pinfo,
160 proto_tree *tree, guint8 *drep) {
162 DUALSTRINGARRAY stringarray;
163 STRINGBINDING stringbind;
164 SECURITYBINDING securitybind;
165 proto_item *bind_hdr, *entries_hdr, *sec_hdr;
166 proto_tree *bind_tree, *entries_tree, *sec_tree;
167 char *aNetworkAddr = NULL;
168 char *aPrinceName = NULL;
169 unsigned short string_len = 0;
170 unsigned short security_len = 0;
171 unsigned char unknown1[8];
172 unsigned char unknown2[8];
174 dissect_dcerpc_uint16(tvb, offset, pinfo, tree, drep, hf_COMVERSION_MjrVer, &comver.MajorVersion);
175 offset += sizeof(comver.MajorVersion);
177 dissect_dcerpc_uint16(tvb, offset, pinfo, tree, drep, hf_COMVERSION_MnrVer, &comver.MinorVersion);
178 offset += sizeof(comver.MinorVersion);
180 dissect_dcerpc_uint64(tvb , offset, pinfo, tree, drep, hf_Unknown1, unknown1);
182 offset += sizeof(unknown1); /*FIXME - understand what those 8 bytes mean! don't skip'em!*/
183 string_len = dcerpc_tvb_get_ntohs(tvb, offset, drep) * 2;
184 bind_hdr = proto_tree_add_text(tree, tvb, offset, (int)string_len, "DUALSTRINGARRAY structure");
185 bind_tree = proto_item_add_subtree(bind_hdr, 0);
187 dissect_dcerpc_uint16(tvb, offset, pinfo, bind_tree, drep, hf_wNumEntries, &stringarray.wNumEntries);
188 offset += sizeof(stringarray.wNumEntries);
190 security_len = dcerpc_tvb_get_ntohs(tvb, offset, drep) * 2;
191 dissect_dcerpc_uint16(tvb, offset, pinfo, bind_tree, drep, hf_wSecurityOffset, &stringarray.wSecurityOffset);
192 offset += sizeof(stringarray.wSecurityOffset);
194 entries_hdr = proto_tree_add_text(bind_tree, tvb, offset, (int)security_len, "STRING BINDING");
195 entries_tree = proto_item_add_subtree(entries_hdr, 0);
197 while(tvb_get_ntohs(tvb, offset) != 0) { /* check that this is not terminating zero */
199 stringbind.wTowerId = dcerpc_tvb_get_ntohs(tvb, offset, drep);
200 proto_tree_add_text(entries_tree, tvb, offset, sizeof(stringbind.wTowerId), "Network Protocol ('TowerID'): %s (0x%x)",towerid_val2str(stringbind.wTowerId), stringbind.wTowerId);
202 offset += sizeof(stringbind.wTowerId);
204 offset = display_unicode_string(tvb, entries_tree, offset, hf_aNetworkAddr, &aNetworkAddr);
206 offset += 2; /* hop over the extra terminating zero */
208 sec_hdr = proto_tree_add_text(bind_tree, tvb, offset, 0, "SECURITY BINDING");
209 sec_tree = proto_item_add_subtree(sec_hdr, 0);
211 while(tvb_get_ntohs(tvb, offset) != 0) {
212 securitybind.wAuthnSvc = dcerpc_tvb_get_ntohs(tvb, offset, drep);
213 proto_tree_add_text(sec_tree, tvb, offset, sizeof(securitybind.wAuthnSvc), "Authentication Service: %s (0x%x)",authn_val2str(securitybind.wAuthnSvc),securitybind.wAuthnSvc);
214 offset += sizeof(securitybind.wAuthnSvc);
216 securitybind.wAuthzSvc = dcerpc_tvb_get_ntohs(tvb, offset, drep);
217 proto_tree_add_text(sec_tree, tvb, offset, sizeof(securitybind.wAuthzSvc), "Authorization Service: %s (0x%x)",authz_val2str(securitybind.wAuthzSvc),securitybind.wAuthzSvc);
218 offset += sizeof(securitybind.wAuthzSvc);
220 offset = display_unicode_string(tvb, sec_tree, offset, hf_aPrinceName, &aPrinceName);
222 offset += 2; /* hop over the extra terminating zero */
224 dissect_dcerpc_uint64(tvb, offset, pinfo, tree, drep, hf_Unknown2, unknown2);
225 offset += sizeof(unknown2);
229 static dcerpc_sub_dissector oxid_dissectors[] = {
230 { 0, "ResolveOxid", NULL, NULL },
231 { 1, "SimplePing", NULL, NULL },
232 { 2, "ComplexPing", NULL, NULL },
233 { 3, "ServerAlive", NULL, NULL },
234 { 4, "ResolveOxid2", NULL, NULL },
235 { 5, "ServerAlive2", NULL, oxid_server_alive2_dissect_rply },
236 { 0, NULL, NULL, NULL },
240 proto_register_oxid (void)
242 static hf_register_info hf[] = {
244 { "Operation", "oxid.opnum", FT_UINT16, BASE_DEC,
245 NULL, 0x0, "", HFILL }},
246 { &hf_COMVERSION_MjrVer,
247 { "COM Major Version", "oxid5.com_mjr_ver", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
248 { &hf_COMVERSION_MnrVer,
249 { "COM Minor Version", "oxid5.com_mnr_ver", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
251 { "Total Entries length (in 16 bytes blocks)", "oxid5.NumEntries", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
252 { &hf_wSecurityOffset,
253 { "Offset of Security Binding (in 16 bytes blocks)", "oxid5.SecurityOffset", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
255 { "Network Protocol ('TowerID')", "oxid5.wTowerId", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
257 { "Network Address ('aNetworkAddr')", "oxid5.aNetworkAddr", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
259 { "Authentication Service", "oxid5.AuthnSvc", FT_UINT16, BASE_DEC, NULL, 0x0, "", HFILL }},
261 { "Autherization Service", "oxid5.AuthzSvc", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }},
263 { "aPrinceName", "oxid5.aPrinceName", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }},
265 { "unknown 8 bytes 1", "oxid5.unknown1", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }},
267 { "unknown 8 bytes 2", "oxid5.unknown2", FT_UINT64, BASE_HEX, NULL, 0x0, "", HFILL }},
269 static gint *ett[] = {
272 proto_oxid = proto_register_protocol ("DCOM OXID Resolver", "OXID", "oxid");
273 proto_register_field_array (proto_oxid, hf, array_length (hf));
274 proto_register_subtree_array (ett, array_length (ett));
278 proto_reg_handoff_oxid (void)
280 /* Register the protocol as dcerpc */
281 dcerpc_init_uuid (proto_oxid, ett_oxid, &uuid_oxid, ver_oxid, oxid_dissectors, hf_opnum);