diff options
Diffstat (limited to 'epan/dissectors/pidl/witness')
-rw-r--r-- | epan/dissectors/pidl/witness/witness.cnf | 240 | ||||
-rw-r--r-- | epan/dissectors/pidl/witness/witness.idl | 152 |
2 files changed, 392 insertions, 0 deletions
diff --git a/epan/dissectors/pidl/witness/witness.cnf b/epan/dissectors/pidl/witness/witness.cnf new file mode 100644 index 00000000..76d255e4 --- /dev/null +++ b/epan/dissectors/pidl/witness/witness.cnf @@ -0,0 +1,240 @@ +MANUAL witness_dissect_element_interfaceInfo_group_name +NOEMIT witness_dissect_element_interfaceInfo_group_name +MANUAL witness_dissect_struct_notifyResponse +MANUAL witness_dissect_element_notifyResponse_messages +NOEMIT witness_dissect_element_notifyResponse_messages +MANUAL witness_dissect_struct_IPaddrInfoList +NOEMIT witness_dissect_struct_IPaddrInfoList +NOEMIT witness_dissect_element_IPaddrInfoList_addr + +HF_FIELD hf_witness_witness_notifyResponse_messages_ "Messages" "witness.witness_notifyResponse.messages_" FT_NONE BASE_NONE NULL 0 "" "" "" + +TYPE ipv4address "offset=PIDL_dissect_ipv4address(tvb, offset, pinfo, tree, di, drep, @HF@, PIDL_SET_COL_INFO);" FT_IPv4 BASE_NONE 0 NULL 4 + +TYPE ipv6address "offset=PIDL_dissect_ipv6address(tvb, offset, pinfo, tree, di, drep, @HF@, PIDL_SET_COL_INFO);" FT_IPv6 BASE_NONE 0 NULL 2 + +CODE START + + #include "to_str.h" + +static int +witness_dissect_notifyResponse_message(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_); + +static int +witness_dissect_notifyResponse_message_(tvbuff_t *tvb, int offset, int length _U_, packet_info *pinfo, + proto_tree *tree, dcerpc_info *di, guint8 *drep _U_) +{ + guint32 *type = (guint32 *)di->private_data; + guint8 le_drep[4] = { DREP_LITTLE_ENDIAN, }; + return witness_dissect_notifyResponse_message(tvb, offset, pinfo, tree, di, le_drep, + hf_witness_witness_notifyResponse_messages_, *type); +} + +static int +witness_dissect_element_notifyResponse_messages(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info *di _U_, guint8 *drep _U_) +{ + offset = dissect_ndr_ucarray_block(tvb, offset, pinfo, tree, di, drep, + witness_dissect_notifyResponse_message_); + return offset; +} + +int +witness_dissect_struct_notifyResponse(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_) +{ + guint32 *type = NULL; + proto_item *item = NULL; + proto_tree *tree = NULL; + int old_offset; + + ALIGN_TO_4_BYTES; + + ALIGN_TO_4_BYTES; + + old_offset = offset; + + if (parent_tree) { + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_witness_witness_notifyResponse); + } + + type = wmem_new0(pinfo->pool, guint32); + + offset = witness_dissect_element_notifyResponse_type(tvb, offset, pinfo, tree, di, drep, type); + + offset = witness_dissect_element_notifyResponse_length(tvb, offset, pinfo, tree, di, drep); + + offset = witness_dissect_element_notifyResponse_num(tvb, offset, pinfo, tree, di, drep); + + di->private_data = type; + offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, + witness_dissect_element_notifyResponse_messages, + NDR_POINTER_UNIQUE, "Pointer to Message Buffer (uint8)", + hf_witness_witness_notifyResponse_messages); + + proto_item_set_len(item, offset-old_offset); + + if (di->call_data->flags & DCERPC_IS_NDR64) { + ALIGN_TO_4_BYTES; + } + + return offset; +} + +static int +witness_dissect_element_IPaddrInfoList_addr(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info* di _U_, guint8 *drep _U_) +{ + offset = witness_dissect_struct_IPaddrInfo(tvb,offset,pinfo,tree,di,drep,hf_witness_witness_IPaddrInfoList_addr,0); + + return offset; +} + +int +witness_dissect_struct_IPaddrInfoList(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, dcerpc_info* di _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_) +{ + proto_item *item = NULL; + proto_tree *tree = NULL; + gboolean oldalign = di->no_align; + int old_offset; + guint32 i, num; + + di->no_align = TRUE; + + old_offset = offset; + + if (parent_tree) { + item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_witness_witness_IPaddrInfoList); + } + + offset = witness_dissect_element_IPaddrInfoList_length(tvb, offset, pinfo, tree, di, drep); + + offset = witness_dissect_element_IPaddrInfoList_reserved(tvb, offset, pinfo, tree, di, drep); + + num = tvb_get_letohl(tvb, offset); + + offset = witness_dissect_element_IPaddrInfoList_num(tvb, offset, pinfo, tree, di, drep); + + for (i = 0; i < num; i++) { + offset = witness_dissect_element_IPaddrInfoList_addr(tvb, offset, pinfo, tree, di, drep); + } + + proto_item_set_len(item, offset-old_offset); + + di->no_align = oldalign; + + return offset; +} + +static int +witness_dissect_element_interfaceInfo_group_name(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *parent_tree, dcerpc_info *di _U_, guint8 *drep _U_) +{ + int totlen, stringlen; + char *str; + proto_item *pi; + + /* + * XXX - this is described as + * + * [charset(UTF16),to_null] uint16 group_name[260]; + * + * I haven't found any documentation for what "to_null" means + * in PIDL; is this a null-padded 260*2-byte array, so that + * strings can be up to 260 16-bit units in length, or is + * it a null-*terminated* string, so that it can be up to 259 + * 16-bit units in length? + * + * We assume it's null-padded, for now, and scan for a 2-byte + * null terminator within the 260 2-byte units, and use + * that as the length, with the length being 2*260 if there + * isn't one. + * + * This will result in totlen being the total length, in + * bytes, of the string, including the null terminator, if + * present, and stringlen being the total length, in bytes. + * not counting any null terminator. + */ + totlen = 0; + stringlen = 0; + while (totlen < 2*260) { + /* + * These 2 bytes are either part of the string + * or part of the null terminator, so count + * them. + */ + totlen += 2; + if (tvb_get_letohs(tvb, offset + stringlen) == 0) + break; + /* + * Those 2 bytes are part of the string, so + * count them. + */ + stringlen += 2; + } + pi = proto_tree_add_item_ret_display_string(parent_tree, + hf_witness_witness_interfaceInfo_group_name, tvb, offset, stringlen, + ENC_UTF_16|ENC_LITTLE_ENDIAN, + pinfo->pool, &str); + proto_item_append_text(pi, " [%d]", totlen); + proto_item_append_text(parent_tree, ": %s", str); + + /* + * All 260 16-bit units are part of the field, as they're always + * there even if they don't need to be. + */ + return offset + 2*260; +} + +static int +PIDL_dissect_ipv4address(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep _U_, int hfindex, guint32 param) +{ + if (di->conformant_run) { + /* just a run to handle conformant arrays, no scalars to dissect */ + return offset; + } + + + if (!di->no_align && (offset % 4)) { + offset += 4 - (offset % 4); + } + + proto_tree_add_item(tree, hfindex, tvb, offset, 4, ENC_BIG_ENDIAN); + + if (param & PIDL_SET_COL_INFO) { + const char *ip = tvb_ip_to_str(pinfo->pool, tvb, offset); + header_field_info *hf_info = proto_registrar_get_nth(hfindex); + + proto_item_append_text(proto_tree_get_parent(tree), " %s:%s", hf_info->name, ip); + + col_append_fstr(pinfo->cinfo, COL_INFO," %s:%s", hf_info->name, ip); + } + return offset + 4; +} + +static int +PIDL_dissect_ipv6address(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep _U_, int hfindex, guint32 param) +{ + if (di->conformant_run) { + /* just a run to handle conformant arrays, no scalars to dissect */ + return offset; + } + + + if (!di->no_align && (offset % 2)) { + offset += 2 - (offset % 2); + } + + proto_tree_add_item(tree, hfindex, tvb, offset, 16, ENC_BIG_ENDIAN); + + if (param & PIDL_SET_COL_INFO) { + const char *ip = tvb_ip6_to_str(pinfo->pool, tvb, offset); + header_field_info *hf_info = proto_registrar_get_nth(hfindex); + + proto_item_append_text(proto_tree_get_parent(tree), " %s:%s", hf_info->name, ip); + + col_append_fstr(pinfo->cinfo, COL_INFO," %s:%s", hf_info->name, ip); + } + + return offset + 16; +} + +CODE END diff --git a/epan/dissectors/pidl/witness/witness.idl b/epan/dissectors/pidl/witness/witness.idl new file mode 100644 index 00000000..ecfa1af8 --- /dev/null +++ b/epan/dissectors/pidl/witness/witness.idl @@ -0,0 +1,152 @@ +#include "idl_types.h" + +import "misc/misc.idl"; + +[ + uuid("ccd8c074-d0e5-4a40-92b4-d074faa6ba28"), + version(1.1), + pointer_default(unique), + helpstring("SMB Witness Service"), + helper("../librpc/ndr/ndr_witness.h"), + endpoint("ncacn_ip_tcp:") +] +interface witness +{ + typedef [v1_enum] enum { + WITNESS_V1 = 0x00010001, + WITNESS_V2 = 0x00020000, + WITNESS_UNSPECIFIED_VERSION = 0xFFFFFFFF + } witness_version; + + /*****************/ + /* Function 0x00 */ + + typedef [enum16bit] enum { + WITNESS_STATE_UNKNOWN = 0x00, + WITNESS_STATE_AVAILABLE = 0x01, + WITNESS_STATE_UNAVAILABLE = 0xff + } witness_interfaceInfo_state; + + typedef [bitmap32bit] bitmap { + WITNESS_INFO_IPv4_VALID = 0x01, + WITNESS_INFO_IPv6_VALID = 0x02, + WITNESS_INFO_WITNESS_IF = 0x04 + } witness_interfaceInfo_flags; + + typedef struct { + [charset(UTF16),to_null] uint16 group_name[260]; + witness_version version; + witness_interfaceInfo_state state; + [flag(NDR_BIG_ENDIAN)] ipv4address ipv4; + [flag(NDR_BIG_ENDIAN)] ipv6address ipv6; + witness_interfaceInfo_flags flags; + } witness_interfaceInfo; + + typedef struct { + uint32 num_interfaces; + [size_is(num_interfaces)] witness_interfaceInfo *interfaces; + } witness_interfaceList; + + [public] WERROR witness_GetInterfaceList( + [out] witness_interfaceList **interface_list + ); + + /*****************/ + /* Function 0x01 */ + + [public] WERROR witness_Register( + [out,ref] policy_handle *context_handle, + [in] witness_version version, + [in,unique,string,charset(UTF16)] uint16 *net_name, + [in,unique,string,charset(UTF16)] uint16 *ip_address, + [in,unique,string,charset(UTF16)] uint16 *client_computer_name + ); + + /*****************/ + /* Function 0x02 */ + + [public] WERROR witness_UnRegister( + [in] policy_handle context_handle + ); + + /*****************/ + /* Function 0x03 */ + + typedef [v1_enum,public] enum { + WITNESS_NOTIFY_RESOURCE_CHANGE = 1, + WITNESS_NOTIFY_CLIENT_MOVE = 2, + WITNESS_NOTIFY_SHARE_MOVE = 3, + WITNESS_NOTIFY_IP_CHANGE = 4 + } witness_notifyResponse_type; + + typedef [v1_enum] enum { + WITNESS_RESOURCE_STATE_UNKNOWN = 0x00, + WITNESS_RESOURCE_STATE_AVAILABLE = 0x01, + WITNESS_RESOURCE_STATE_UNAVAILABLE = 0xff + } witness_ResourceChange_type; + + typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN),gensize,public] struct { + [value(ndr_size_witness_ResourceChange(r,ndr->flags))] uint32 length; + witness_ResourceChange_type type; + nstring name; + } witness_ResourceChange; + + typedef [bitmap32bit] bitmap { + WITNESS_IPADDR_V4 = 0x01, + WITNESS_IPADDR_V6 = 0x02, + WITNESS_IPADDR_ONLINE = 0x08, + WITNESS_IPADDR_OFFLINE = 0x10 + } witness_IPaddrInfo_flags; + + typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN),gensize] struct { + witness_IPaddrInfo_flags flags; + ipv4address ipv4; + ipv6address ipv6; + } witness_IPaddrInfo; + + typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN)] struct { + [value(r->num*ndr_size_witness_IPaddrInfo(r->addr, ndr->flags))] uint32 length; + [value(0)] uint32 reserved; + uint32 num; + witness_IPaddrInfo addr[num]; + } witness_IPaddrInfoList; + + typedef [public,switch_type(witness_notifyResponse_type),nodiscriminant, flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN)] union { + [case(WITNESS_NOTIFY_RESOURCE_CHANGE)] witness_ResourceChange resource_change; + [case(WITNESS_NOTIFY_CLIENT_MOVE)] witness_IPaddrInfoList client_move; + [case(WITNESS_NOTIFY_SHARE_MOVE)] witness_IPaddrInfoList share_move; + [case(WITNESS_NOTIFY_IP_CHANGE)] witness_IPaddrInfoList ip_change; + [default,flag(NDR_REMAINING)] DATA_BLOB data; + } witness_notifyResponse_message; + + typedef [flag(NDR_PAHEX),gensize,public,nopush,nopull] struct { + witness_notifyResponse_type type; + [value(ndr_size_witness_notifyResponse(r, ndr->flags)-20)] uint32 length; + uint32 num; + [subcontext(4), subcontext_size(length), flag(NDR_REMAINING), switch_is(type)] witness_notifyResponse_message messages[num]; + } witness_notifyResponse; + + [public] WERROR witness_AsyncNotify( + [in] policy_handle context_handle, + [out] witness_notifyResponse **response + ); + + /*****************/ + /* Function 0x04 */ + + typedef [bitmap32bit] bitmap { + WITNESS_REGISTER_NONE = 0x00, + WITNESS_REGISTER_IP_NOTIFICATION = 0x01 + } witness_RegisterEx_flags; + + WERROR witness_RegisterEx( + [out,ref] policy_handle *context_handle, + [in] witness_version version, + [in,unique,string,charset(UTF16)] uint16 *net_name, + [in,unique,string,charset(UTF16)] uint16 *share_name, + [in,unique,string,charset(UTF16)] uint16 *ip_address, + [in,unique,string,charset(UTF16)] uint16 *client_computer_name, + [in] witness_RegisterEx_flags flags, + [in] uint32 timeout + ); +} |