PIDL, ethereal, etc.

Andrew Bartlett abartlet at samba.org
Tue Dec 28 05:13:49 GMT 2004


On Mon, 2004-12-27 at 19:17 -0800, kmorank wrote:
> I notice that the default dissectors for ethereal are not as chatty as perhaps 
> they should be when looking at DCE traffic -- for example, RegQueryValueEx isn't 
> as correct as it could be. 
>  
> The PIDL manpage says I should be able to 
>  perl ../../build/pidl/pidl.pl --output foo.c --parse --eparser winreg.idl
> 
> and sure enough, 
> packet-dcerpc-proto.h
> packet-dcerpc-proto-winreg.h
> packet-dcerpc-winreg.c
> 
> show up..however when plopped into the ethereal tree for a "go" doesn't exactly compile. 
> "eparser.h" is called for, which doesn't exist in either the ethereal or samba tree; 

It is in the 'lorikeet' SVN repository (which is the samba.org place for
samba-related patches to other projects).  However, this has not been
kept up to date with current Ethereal and current Samba/PIDL.  (As I
found out *after* I added a nice configure option: --with-eparser-dir to
Samba4, to make it easier to build the stuff :-)

> perhaps it should be replaced by "packet-dcerpc-proto.h", which includes ndr_winreg.h? 
> Changing that, putting those files,  into my ethereal dissector build directory, 
> symlinking the librpc directory so it's accessible as I build the new dissector 
> still yields a bunch of errors.
>  
> How out of sync is the --eparser flag with the current sources and ethereal?

I understand that tpot is working on another attempt at the PIDL
approach, using perl to munge the standard output this time (rather than
creating a new output engine).  I've not seen anything show up in a
public tree yet however.

In the meantime, you can use ndrdump to inspect particular packets.  To
do this, you must 'dump to file' the whole RPC PDU (right-click on the
bytes in ethereal), and run ndrdump on that file, with details of which
function it is.

Andrew Bartlett

-- 
Andrew Bartlett <abartlet at samba.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041228/52e952d7/attachment.bin


More information about the samba-technical mailing list