# ldap.cnf # LDAP conformation file # Copyright 2005 Anders Broman #.OMIT_ASSIGNMENT DirSyncFlagsSubEntry PasswdModifyResponseValue #.PDU #.TYPE_RENAME BindResponse/_untag/resultCode BindResponse_resultCode ExtendedResponse/_untag/resultCode ExtendedResponse_resultCode ModifyRequest/_untag/modification ModifyRequest_modification #.FIELD_RENAME BindResponse/_untag/resultCode bindResponse_resultCode ExtendedResponse/_untag/resultCode extendedResponse_resultCode SearchRequest/_untag/attributes searchRequest_attributes SearchResultEntry/_untag/attributes searchResultEntry_attributes ModifyRequest/_untag/modification modifyRequest_modification SubstringFilter/substrings substringFilter_substrings BindResponse/_untag/matchedDN bindResponse_matchedDN IntermediateResponse/_untag/responseValue intermediateResponse_responseValue #.TYPE_ATTR LDAPString TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL LDAPURL TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL LDAPOID TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL Mechanism TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL AssertionValue TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL DirSyncFlags TYPE = FT_UINT32 DISPLAY = BASE_HEX STRINGS = NULL Simple TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL #.REGISTER #[MS-ADTS] SearchControlValue B "1.2.840.113556.1.4.319" "LDAP_PAGED_RESULT_OID_STRING" SortKeyList B "1.2.840.113556.1.4.473" "LDAP_SERVER_SORT_OID" SortResult B "1.2.840.113556.1.4.474" "LDAP_SERVER_RESP_SORT_OID" DirSyncControlValue B "1.2.840.113556.1.4.841" "LDAP_SERVER_DIRSYNC_OID" #RFC 3062 PasswdModifyRequestValue B "1.3.6.1.4.1.4203.1.11.1" "passwdModifyOID" #RFC 3909 CancelRequestValue B "1.3.6.1.1.8" "cancelRequestOID" #RFC 4533 SyncRequestValue B "1.3.6.1.4.1.4203.1.9.1.1" "syncRequestOID" SyncStateValue B "1.3.6.1.4.1.4203.1.9.1.2" "syncStateOID" SyncDoneValue B "1.3.6.1.4.1.4203.1.9.1.3" "syncDoneOID" SyncInfoValue B "1.3.6.1.4.1.4203.1.9.1.4" "syncInfoOID" # Draft RFC - Password Policy for LDAP Directories PasswordPolicyResponseValue B "1.3.6.1.4.1.42.2.27.8.5.1" "passwordPolicy" #.FN_FTR LDAPURL proto_item_set_url(actx->created_item); #.FN_HDR LDAPOID tvbuff_t *parameter_tvb; const gchar *name; ldap_conv_info_t *ldap_info = (ldap_conv_info_t *)actx->private_data; #.FN_PARS LDAPOID VAL_PTR = ¶meter_tvb #.FN_FTR LDAPOID object_identifier_id = NULL; if (!parameter_tvb) return offset; object_identifier_id = tvb_get_string_enc(actx->pinfo->pool, parameter_tvb, 0, tvb_reported_length_remaining(parameter_tvb,0), ENC_UTF_8|ENC_NA); name = oid_resolved_from_string(actx->pinfo->pool, object_identifier_id); if(name){ proto_item_append_text(actx->created_item, " (%s)", name); if((hf_index == hf_ldap_requestName) || (hf_index == hf_ldap_responseName)) { ldap_do_protocolop(actx->pinfo); col_append_fstr(actx->pinfo->cinfo, COL_INFO, "%s ", name); } } /* Has the client requested the Start TLS operation? */ if (ldap_info && hf_index == hf_ldap_requestName && !strcmp(object_identifier_id, "1.3.6.1.4.1.1466.20037")) { /* remember we have asked to start_tls */ ldap_info->start_tls_pending = TRUE; } #.FN_BODY MessageID VAL_PTR = &MessageID %(DEFAULT_BODY)s ldm_tree = tree; #.FN_PARS ProtocolOp VAL_PTR = &ProtocolOp #.FN_HDR ProtocolOp ldap_call_response_t *lcrp; ldap_conv_info_t *ldap_info = (ldap_conv_info_t *)actx->private_data; do_protocolop = TRUE; #.FN_FTR ProtocolOp if (ProtocolOp == -1) { return offset; } /* ProtocolOp is the index, not the tag so convert it to the tag value */ ProtocolOp = ldap_ProtocolOp_vals[ProtocolOp].value; lcrp=ldap_match_call_response(tvb, actx->pinfo, tree, MessageID, ProtocolOp, ldap_info); if(lcrp){ tap_queue_packet(ldap_tap, actx->pinfo, lcrp); } /* XXX: the count will not work if the results span multiple TCP packets */ if(ldap_info) { /* only count once */ switch(ProtocolOp) { case LDAP_RES_SEARCH_ENTRY: if (!actx->pinfo->fd->visited) ldap_info->num_results++; proto_item_append_text(tree, " [%d result%s]", ldap_info->num_results, ldap_info->num_results == 1 ? "" : "s"); break; case LDAP_RES_SEARCH_RESULT: col_append_fstr(actx->pinfo->cinfo, COL_INFO, " [%d result%s]", ldap_info->num_results, ldap_info->num_results == 1 ? "" : "s"); proto_item_append_text(tree, " [%d result%s]", ldap_info->num_results, ldap_info->num_results == 1 ? "" : "s"); break; default: break; } } #.FN_BODY Simple ldap_conv_info_t *ldap_info; %(DEFAULT_BODY)s ldap_info = (ldap_conv_info_t *)actx->private_data; ldap_info->auth_type = LDAP_AUTH_SIMPLE; #.FN_BODY Mechanism VAL_PTR = ¶meter_tvb ldap_conv_info_t *ldap_info; tvbuff_t *parameter_tvb; char *mechanism = NULL; %(DEFAULT_BODY)s ldap_info = (ldap_conv_info_t *)actx->private_data; ldap_info->auth_type = LDAP_AUTH_SASL; if (!parameter_tvb) return offset; /* * We need to remember the authentication type and mechanism for this * conversation. * * XXX - actually, we might need to remember more than one * type and mechanism, if you can unbind and rebind with a * different type and/or mechanism. */ if(!actx->pinfo->fd->visited) { mechanism = tvb_get_string_enc(wmem_file_scope(), parameter_tvb, 0, tvb_reported_length_remaining(parameter_tvb,0), ENC_UTF_8|ENC_NA); ldap_info->first_auth_frame = 0; /* not known until we see the bind reply */ /* * If the mechanism in this request is an empty string (which is * returned as a null pointer), use the saved mechanism instead. * Otherwise, if the saved mechanism is an empty string (null), * save this mechanism. */ if (mechanism != NULL) { wmem_free(wmem_file_scope(), ldap_info->auth_mech); ldap_info->auth_mech = mechanism; } } #.FN_BODY Credentials VAL_PTR = ¶meter_tvb tvbuff_t *parameter_tvb; ldap_conv_info_t *ldap_info; gint8 ber_class; bool pc; gint32 tag; %(DEFAULT_BODY)s if (!parameter_tvb) return offset; ldap_info = (ldap_conv_info_t *)actx->private_data; get_ber_identifier(parameter_tvb, 0, &ber_class, &pc, &tag); /*if ((ldap_info->auth_mech != NULL) && (strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) && (ber_class==BER_CLASS_CON)) {*/ if ((ldap_info->auth_mech != NULL) && (ber_class==BER_CLASS_CON)) { /* * This is a GSS-API token ancapsulated within GSS-SPNEGO. * We need to check the first byte to check whether the blob * contains SPNEGO or GSSAPI. * All SPNEGO PDUs are of class CONSTRUCTED while * GSS PDUs are class APPLICATION */ if (parameter_tvb && (tvb_reported_length(parameter_tvb) > 0)) call_dissector(spnego_handle, parameter_tvb, actx->pinfo, tree); } /*if ((ldap_info->auth_mech != NULL) && ((strcmp(ldap_info->auth_mech, "GSSAPI") == 0) || (ber_class==BER_CLASS_APP))) {*/ if ((ldap_info->auth_mech != NULL) && (ber_class==BER_CLASS_APP)) { /* * This is a raw GSS-API token. */ if (parameter_tvb && (tvb_reported_length(parameter_tvb) > 0)) { call_dissector(gssapi_handle, parameter_tvb, actx->pinfo, tree); } } /* Restore private data */ actx->private_data = ldap_info; #.FN_BODY ServerSaslCreds VAL_PTR = ¶meter_tvb tvbuff_t *parameter_tvb = NULL; ldap_conv_info_t *ldap_info; %(DEFAULT_BODY)s if (!parameter_tvb) return offset; ldap_info = (ldap_conv_info_t *)actx->private_data; switch (ldap_info->auth_type) { /* For Kerberos V4, dissect it as a ticket. */ /* XXX - what about LDAP_AUTH_SIMPLE? */ case LDAP_AUTH_SASL: /* * All frames after this are assumed to use a security layer. * * XXX - won't work if there's another reply, with the security * layer, starting in the same TCP segment that ends this * reply, but as LDAP is a request/response protocol, and * as the client probably can't start using authentication until * it gets the bind reply and the server won't send a reply until * it gets a request, that probably won't happen. * * XXX - that assumption is invalid; it's not clear where the * hell you find out whether there's any security layer. In * one capture, we have two GSS-SPNEGO negotiations, both of * which select MS KRB5, and the only differences in the tokens * is in the RC4-HMAC ciphertext. The various * draft-ietf--cat-sasl-gssapi-NN.txt drafts seem to imply * that the RFC 2222 spoo with the bitmask and maximum * output message size stuff is done - but where does that * stuff show up? Is it in the ciphertext, which means it's * presumably encrypted? * * Grrr. We have to do a gross heuristic, checking whether the * putative LDAP message begins with 0x00 or not, making the * assumption that we won't have more than 2^24 bytes of * encapsulated stuff. */ ldap_info->first_auth_frame = actx->pinfo->num + 1; if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) { /* It could be the second leg of GSS-SPNEGO wrapping NTLMSSP * which might not be wrapped in GSS-SPNEGO but be a raw * NTLMSSP blob */ if ( (tvb_reported_length(parameter_tvb)>=7) && (!tvb_memeql(parameter_tvb, 0, (const guint8*)"NTLMSSP", 7))){ call_dissector(ntlmssp_handle, parameter_tvb, actx->pinfo, tree); break; } /* * This is a GSS-API token. */ if(parameter_tvb && (tvb_reported_length(parameter_tvb) > 0)) call_dissector(spnego_handle, parameter_tvb, actx->pinfo, tree); } else if (ldap_info->auth_mech != NULL && strcmp(ldap_info->auth_mech, "GSSAPI") == 0) { /* * This is a GSS-API token. */ if(parameter_tvb && (tvb_reported_length(parameter_tvb) > 0)) call_dissector(gssapi_handle, parameter_tvb, actx->pinfo, tree); } break; } actx->private_data = ldap_info; #.FN_BODY LDAPString VAL_PTR = ¶meter_tvb tvbuff_t *parameter_tvb = NULL; const char *ldapstring = NULL; gchar *sc = NULL; /* semi-colon pointer */ offset = dissect_ber_octet_string_with_encoding(implicit_tag, actx, tree, tvb, offset, hf_index, ¶meter_tvb, ENC_UTF_8|ENC_NA); if (parameter_tvb || (hf_index == hf_ldap_baseObject)) { ldap_do_protocolop(actx->pinfo); if(parameter_tvb) ldapstring = tvb_get_string_enc(actx->pinfo->pool, parameter_tvb, 0, tvb_reported_length_remaining(parameter_tvb, 0), ENC_UTF_8|ENC_NA); if(hf_index == hf_ldap_baseObject) { /* this is search - put it on the scanline */ if(!ldapstring || !*ldapstring) ldapstring = ""; col_append_fstr(actx->pinfo->cinfo, COL_INFO, "\"%%s\" ", format_text(actx->pinfo->pool, ldapstring, strlen(ldapstring))); if(ldm_tree) proto_item_append_text(ldm_tree, " \"%%s\"", ldapstring); if(!parameter_tvb) { proto_item_append_text(actx->created_item, " (%%s)", ldapstring); } } else if ((hf_index == hf_ldap_errorMessage) && ldapstring && *ldapstring) { /* only show message if not success */ col_append_fstr(actx->pinfo->cinfo, COL_INFO, "(%%s) ", format_text(actx->pinfo->pool, ldapstring, strlen(ldapstring))); if(ldm_tree) proto_item_append_text(ldm_tree, " (%%s)", ldapstring); } else if ((hf_index == hf_ldap_objectName) || (hf_index == hf_ldap_name) || (hf_index == hf_ldap_entry) || (hf_index == hf_ldap_object) || (hf_index == hf_ldap_delRequest) ) { if(!ldapstring || !*ldapstring) ldapstring = ""; col_append_fstr(actx->pinfo->cinfo, COL_INFO, "\"%%s\" ", format_text(actx->pinfo->pool, ldapstring, strlen(ldapstring))); if(ldm_tree) proto_item_append_text(ldm_tree, " \"%%s\"", ldapstring); } else if (hf_index == hf_ldap_attributeDesc){ /* remember the attribute description */ attributedesc_string=ldapstring; } else if (hf_index == hf_ldap_initial){ /* remember the substring item */ substring_item_init=ldapstring; } else if (hf_index == hf_ldap_any){ /* remember the substring item */ substring_item_any=ldapstring; } else if (hf_index == hf_ldap_final){ /* remember the substring item */ substring_item_final=ldapstring; } else if (hf_index == hf_ldap_matchingRule){ /* remember the matching rule */ matching_rule_string=ldapstring; } else if (hf_index == hf_ldap_present){ /* remember the present name */ Filter_string=ldapstring; } else if (hf_index == hf_ldap_type) { /* remember attribute type name */ attr_type = wmem_strdup(actx->pinfo->pool, ldapstring); /* append it to the parent entry */ proto_item_append_text(tree, " %%s", attr_type); /* remove the ";binary" component if present */ if((sc = strchr(attr_type, ';')) != NULL) { if(!strcmp(sc, ";binary")) { *sc = '\0'; /* terminate the string */ is_binary_attr_type = TRUE; } } else { is_binary_attr_type = FALSE; } } } #.FN_BODY SearchRequest/_untag/scope VAL_PTR = &scope guint32 scope = 0xffff; const gchar *valstr; %(DEFAULT_BODY)s ldap_do_protocolop(actx->pinfo); valstr = val_to_str(scope, ldap_T_scope_vals, "Unknown scope(%%u)"); col_append_fstr(actx->pinfo->cinfo, COL_INFO, "%%s ", valstr); if(ldm_tree) proto_item_append_text(ldm_tree, " %%s", valstr); #.FN_BODY LDAPResult/resultCode VAL_PTR = &result const gchar *valstr; %(DEFAULT_BODY)s ldap_do_protocolop(actx->pinfo); valstr = val_to_str(result, ldap_T_resultCode_vals, "Unknown result(%%u)"); col_append_fstr(actx->pinfo->cinfo, COL_INFO, "%%s ", valstr); if(ldm_tree) proto_item_append_text(ldm_tree, " %%s", valstr); #.FN_BODY BindResponse/_untag/resultCode VAL_PTR = &result const gchar *valstr; %(DEFAULT_BODY)s ldap_do_protocolop(actx->pinfo); valstr = val_to_str(result, ldap_BindResponse_resultCode_vals, "Unknown result(%%u)"); col_append_fstr(actx->pinfo->cinfo, COL_INFO, "%%s ", valstr); if(ldm_tree) proto_item_append_text(ldm_tree, " %%s", valstr); #.FN_BODY ExtendedResponse/_untag/resultCode guint32 resultCode; ldap_conv_info_t *ldap_info = (ldap_conv_info_t *)actx->private_data; offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index, &resultCode); /* If Start TLS request was sent and resultCode is success... */ if (ldap_info && ldap_info->start_tls_pending && hf_index == hf_ldap_extendedResponse_resultCode && resultCode == 0) { /* The conversation will continue using SSL */ ssl_starttls_ack(find_dissector("tls"), actx->pinfo, ldap_handle); ldap_info->start_tls_pending = FALSE; } #.FN_BODY AttributeValue tvbuff_t *next_tvb = NULL; gchar *string; int old_offset = offset; gint *hf_id; /* attr_type, should be set before calling this function */ /* extract the value of the octetstring */ offset = dissect_ber_octet_string(FALSE, actx, NULL, tvb, offset, hf_index, &next_tvb); /* first check if we have a custom attribute type configured */ if ((hf_id = get_hf_for_header (attr_type)) != NULL) proto_tree_add_item (tree, *hf_id, next_tvb, 0, tvb_reported_length_remaining(next_tvb, 0), ENC_UTF_8|ENC_NA); /* if we have an attribute type that isn't binary see if there is a better dissector */ else if(!attr_type || !next_tvb || !dissector_try_string_new(ldap_name_dissector_table, attr_type, next_tvb, actx->pinfo, tree, FALSE, NULL)) { offset = old_offset; /* do the default thing */ %(DEFAULT_BODY)s if(tvb_ascii_isprint(next_tvb, 0, tvb_reported_length(next_tvb))) { string = tvb_get_string_enc(actx->pinfo->pool, next_tvb, 0, tvb_reported_length_remaining(next_tvb, 0), ENC_UTF_8|ENC_NA); proto_item_set_text(actx->created_item, "AttributeValue: %%s", string); } } #.FN_BODY AuthenticationChoice VAL_PTR = &branch gint branch = -1; gint auth = -1; const gchar *valstr; %(DEFAULT_BODY)s ldap_do_protocolop(actx->pinfo); if((branch > -1) && (branch < (gint)(sizeof AuthenticationChoice_choice/sizeof AuthenticationChoice_choice[0]))) auth = AuthenticationChoice_choice[branch].value; valstr = val_to_str(auth, ldap_AuthenticationChoice_vals, "Unknown auth(%%u)"); /* If auth is NTLM (10 or 11) don't add to column as the NTLM dissection will do this */ if ((auth != 10) && (auth != 11)) col_append_fstr(actx->pinfo->cinfo, COL_INFO, "%%s ", valstr); if(ldm_tree) proto_item_append_text(ldm_tree, " %%s", valstr); #.FN_BODY UnbindRequest implicit_tag = TRUE; /* correct problem with asn2wrs */ %(DEFAULT_BODY)s ldap_do_protocolop(actx->pinfo); #.FN_HDR SearchRequest/_untag/filter Filter_string=NULL; Filter_elements = 0; Filter_length = 0; #.FN_FTR SearchRequest/_untag/filter Filter_string=NULL; and_filter_string=NULL; Filter_elements = 0; Filter_length = 0; #.FN_FTR Filter/equalityMatch Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s=%s)", string_or_null(attributedesc_string), string_or_null(ldapvalue_string)); #.FN_FTR Filter/greaterOrEqual Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s>=%s)", string_or_null(attributedesc_string), string_or_null(ldapvalue_string)); #.FN_FTR Filter/lessOrEqual Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s<=%s)", string_or_null(attributedesc_string), string_or_null(ldapvalue_string)); #.FN_FTR Filter/approxMatch Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s~=%s)", string_or_null(attributedesc_string), string_or_null(ldapvalue_string)); #.FN_FTR Filter/and/_item if(and_filter_string){ and_filter_string=wmem_strdup_printf(actx->pinfo->pool, "(&%s%s)",and_filter_string,Filter_string); } else { and_filter_string=Filter_string; } #.FN_BODY Filter/and proto_tree *tr=NULL; proto_item *it=NULL; const char *old_and_filter_string=and_filter_string; and_filter_string=NULL; tr=proto_tree_add_subtree(tree, tvb, offset, -1, ett_ldap_T_and, &it, "and: "); tree = tr; %(DEFAULT_BODY)s if(and_filter_string) { proto_item_append_text(it, "%%s", and_filter_string); Filter_string=wmem_strdup(actx->pinfo->pool, and_filter_string); } and_filter_string=old_and_filter_string; #.FN_FTR Filter/or/_item if(or_filter_string){ or_filter_string=wmem_strdup_printf(actx->pinfo->pool, "(|%s%s)",or_filter_string,Filter_string); } else { or_filter_string=Filter_string; } #.FN_BODY Filter/or proto_tree *tr; proto_item *it; const char *old_or_filter_string=or_filter_string; or_filter_string=NULL; tr=proto_tree_add_subtree(tree, tvb, offset, -1, ett_ldap_T_or, &it, "or: "); tree = tr; %(DEFAULT_BODY)s if(or_filter_string) { proto_item_append_text(it, "%%s", or_filter_string); Filter_string=wmem_strdup(actx->pinfo->pool, or_filter_string); } or_filter_string=old_or_filter_string; #.FN_FTR Filter/present Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s=*)",string_or_null(Filter_string)); #.FN_FTR Filter/not Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(!%s)",string_or_null(Filter_string)); #.FN_BODY MatchingRuleAssertion/dnAttributes bool val; offset = dissect_ber_boolean(implicit_tag, actx, tree, tvb, offset, hf_index, &val); matching_rule_dnattr = val; #.FN_HDR Filter/extensibleMatch attr_type=NULL; matching_rule_string=NULL; ldapvalue_string=NULL; matching_rule_dnattr=FALSE; #.FN_FTR Filter/extensibleMatch Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%s:%s%s%s=%s)", (attr_type?attr_type:""), (matching_rule_dnattr?"dn:":""), (matching_rule_string?matching_rule_string:""), (matching_rule_string?":":""), string_or_null(ldapvalue_string)); #.FN_FTR SubstringFilter/substrings/_item if (substring_item_final) { substring_value=wmem_strdup_printf(actx->pinfo->pool, "%s%s", (substring_value?substring_value:"*"), substring_item_final); } else if (substring_item_any) { substring_value=wmem_strdup_printf(actx->pinfo->pool, "%s%s*", (substring_value?substring_value:"*"), substring_item_any); } else if (substring_item_init) { substring_value=wmem_strdup_printf(actx->pinfo->pool, "%s*", substring_item_init); } #.FN_BODY SubstringFilter proto_tree *tr; proto_item *it; const char *old_substring_value=substring_value; attr_type=NULL; substring_value=NULL; substring_item_init=NULL; substring_item_any=NULL; substring_item_final=NULL; tr=proto_tree_add_subtree(tree, tvb, offset, -1, ett_ldap_SubstringFilter, &it, "substring: "); tree = tr; %(DEFAULT_BODY)s Filter_string=wmem_strdup_printf(actx->pinfo->pool, "(%%s=%%s)", string_or_null(attr_type), string_or_null(substring_value)); proto_item_append_text(it, "%%s", Filter_string); substring_value=old_substring_value; #.FN_BODY Filter proto_tree *tr; proto_item *it; attributedesc_string=NULL; if (Filter_length++ > MAX_FILTER_LEN) { expert_add_info_format(actx->pinfo, tree, &ei_ldap_exceeded_filter_length, "Filter length exceeds %%u. Giving up.", MAX_FILTER_LEN); THROW(ReportedBoundsError); } if (Filter_elements++ > MAX_FILTER_ELEMENTS) { expert_add_info_format(actx->pinfo, tree, &ei_ldap_too_many_filter_elements, "Found more than %%u filter elements. Giving up.", MAX_FILTER_ELEMENTS); THROW(ReportedBoundsError); } tr=proto_tree_add_subtree(tree, tvb, offset, -1, ett_ldap_Filter, &it, "Filter: "); tree = tr; %(DEFAULT_BODY)s if(Filter_string) proto_item_append_text(it, "%%s", string_or_null(Filter_string)); #.FN_BODY AuthenticationChoice/ntlmsspNegotiate /* make sure the protocol op comes first */ ldap_do_protocolop(actx->pinfo); call_dissector(ntlmssp_handle, tvb, actx->pinfo, tree); offset+=tvb_reported_length_remaining(tvb, offset); #.FN_BODY AuthenticationChoice/ntlmsspAuth /* make sure the protocol op comes first */ ldap_do_protocolop(actx->pinfo); call_dissector(ntlmssp_handle, tvb, actx->pinfo, tree); offset+=tvb_reported_length_remaining(tvb, offset); #.FN_BODY BindResponse/_untag/matchedDN tvbuff_t *new_tvb=NULL; offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_ldap_matchedDN, &new_tvb); if( new_tvb && (tvb_reported_length(new_tvb)>=7) && (!tvb_memeql(new_tvb, 0, (const guint8*)"NTLMSSP", 7))){ /* make sure the protocol op comes first */ ldap_do_protocolop(actx->pinfo); call_dissector(ntlmssp_handle, new_tvb, actx->pinfo, tree); } #.FN_BODY Control/controlValue gint8 ber_class; bool pc, ind; gint32 tag; guint32 len; if((object_identifier_id != NULL) && oid_has_dissector(object_identifier_id)) { /* remove the OCTET STRING encoding */ offset=dissect_ber_identifier(actx->pinfo, NULL, tvb, offset, &ber_class, &pc, &tag); offset=dissect_ber_length(actx->pinfo, NULL, tvb, offset, &len, &ind); call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); offset += len; } else { %(DEFAULT_BODY)s } #.FN_BODY ExtendedRequest/_untag/requestValue if((object_identifier_id != NULL) && oid_has_dissector(object_identifier_id)) { offset = call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); } else { %(DEFAULT_BODY)s } #.FN_HDR IntermediateResponse/_untag/responseValue const gchar *name; #.FN_BODY IntermediateResponse/_untag/responseValue if(ldm_tree && object_identifier_id) { proto_item_set_text(ldm_tree, "%%s %%s", "IntermediateResponse", object_identifier_id); name = oid_resolved_from_string(actx->pinfo->pool, object_identifier_id); if(name) proto_item_append_text(ldm_tree, " (%%s)", name); } if((object_identifier_id != NULL) && oid_has_dissector(object_identifier_id)) { offset = call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL); } else { %(DEFAULT_BODY)s } #.FN_BODY DirSyncFlags gint8 ber_class; bool pc; gint32 tag; guint32 len; gint32 val; int otheroffset = offset; if(!implicit_tag){ dissect_ber_identifier(actx->pinfo, tree, tvb, otheroffset, &ber_class, &pc, &tag); otheroffset=dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, NULL); } else { gint32 remaining=tvb_reported_length_remaining(tvb, offset); len=remaining>0 ? remaining : 0; } offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, -1, &val); if (val >0) { static int * const flags[] = { &hf_ldap_object_security_flag, &hf_ldap_ancestor_first_flag, &hf_ldap_public_data_only_flag, &hf_ldap_incremental_value_flag, NULL }; proto_tree_add_bitmask_value_with_flags(tree, tvb, otheroffset+1, hf_index, ett_ldap_DirSyncFlagsSubEntry, flags, val, BMT_NO_APPEND); } else { proto_tree_add_uint(tree, hf_index, tvb, otheroffset+len, len, 0); } #.FN_BODY SearchResultReference %(DEFAULT_BODY)s ldap_do_protocolop(actx->pinfo); #.FN_BODY AbandonRequest %(DEFAULT_BODY)s ldap_do_protocolop(actx->pinfo); #.NO_EMIT AttributeType Attribute AssertionValue # # Editor modelines - https://www.wireshark.org/tools/modelines.html # # Local variables: # c-basic-offset: 2 # tab-width: 8 # indent-tabs-mode: nil # End: # # vi: set shiftwidth=2 tabstop=8 expandtab: # :indentSize=2:tabSize=8:noTabs=true: #