Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

[PATCH] Outlook anywhere: ncacn_http support

From: Julien Kerihuel <j.kerihuel () openchange org>
Date: Sun, 05 Dec 2010 23:22:10 +0100
Hi Lists,

I've just finished to write a ncacn_http dissector for Wireshark which
provides the ability to dissect Outlook anywhere packets properly (as
specified by [MS-RPCH].pdf documentation.

I have attached to this email all the material needed to test the patch:
        - stunnel.pem: the SSL RSA key to use to decrypt SSL'd capture
        - sample_outlook_anywhere_ssl.pcap: the capture with SSL enabled
        and including RTS + nspi, rfr, mapi packets
        - sample_outlook_anywhere_not_ssl.pcap: the capture performed on
        lo without SSL enabled and filtered to show only RTS packets.

Relevant RTS packets can be displayed using (dcerpc.pkt_type == 20)
filter.

The patch also adds some fuzzy naming on RTS packets given MS-RPCH
specifications. They define these PDU body through the flags, number of
commands fields and command sequences.

FYI, this capture was done between Outlook 2010 and Exchange 2010 using
a local SSL proxy to avoid Diffie-Hellman algorithm usage (default with
Exchange 2010).

In this scenario:
        - 192.168.0.120 is the Outlook 2010 client
        - 192.168.0.103 is the SSL proxy

I have also added to the email the dcerpc.idl patch for Samba4 which
adds the associated IDL for RTS support:
00001-Add-ncacn_http-RTS-IDL-implementation-in-dcerpc.idl.patch

It probably doesn't respect the Samba4 usual naming convention, but I
thought it would be more useful under this form so you can turn fields
to any names you prefer.

Kind Regards,
Julien.

-- 
Julien Kerihuel
j.kerihuel () openchange org
OpenChange Project Manager/Developer/Maintainer

GPG Fingerprint: 0B55 783D A781 6329 108A  B609 7EF6 FE11 A35F 1F79

Attachment: wireshark_ncacn_http_support.diff
Description:

Attachment: stunnel.pem
Description:

Attachment: sample_outlook_anywhere_not_ssl.pcap
Description:

Attachment: sample_outlook_anywhere_ssl.pcap
Description:

Attachment: 0001-Add-ncacn_http-RTS-IDL-implementation-in-dcerpc.idl.patch
Description:

Attachment: signature.asc
Description: This is a digitally signed message part

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: