PIDL, ethereal, etc.

kmorank kmorank at yahoo.com
Tue Dec 28 05:25:39 GMT 2004 

Is there value in "resyncing" eparser, PIDL, and ethereal? I sure like having the immediacy that ethereal provides; perhaps I'll have a chance to look at the lorikeet stuff in the next few days.
 


Andrew Bartlett <abartlet at samba.org> wrote:
On Mon, 2004-12-27 at 19:17 -0800, kmorank wrote:
> I notice that the default dissectors for ethereal are not as chatty as perhaps 
> they should be when looking at DCE traffic -- for example, RegQueryValueEx isn't 
> as correct as it could be. 
> 
> The PIDL manpage says I should be able to 
> perl ../../build/pidl/pidl.pl --output foo.c --parse --eparser winreg.idl
> 
> and sure enough, 
> packet-dcerpc-proto.h
> packet-dcerpc-proto-winreg.h
> packet-dcerpc-winreg.c
> 
> show up..however when plopped into the ethereal tree for a "go" doesn't exactly compile. 
> "eparser.h" is called for, which doesn't exist in either the ethereal or samba tree; 

It is in the 'lorikeet' SVN repository (which is the samba.org place for
samba-related patches to other projects). However, this has not been
kept up to date with current Ethereal and current Samba/PIDL. (As I
found out *after* I added a nice configure option: --with-eparser-dir to
Samba4, to make it easier to build the stuff :-)

> perhaps it should be replaced by "packet-dcerpc-proto.h", which includes ndr_winreg.h? 
> Changing that, putting those files, into my ethereal dissector build directory, 
> symlinking the librpc directory so it's accessible as I build the new dissector 
> still yields a bunch of errors.
> 
> How out of sync is the --eparser flag with the current sources and ethereal?

I understand that tpot is working on another attempt at the PIDL
approach, using perl to munge the standard output this time (rather than
creating a new output engine). I've not seen anything show up in a
public tree yet however.

In the meantime, you can use ndrdump to inspect particular packets. To
do this, you must 'dump to file' the whole RPC PDU (right-click on the
bytes in ethereal), and run ndrdump on that file, with details of which
function it is.

Andrew Bartlett

-- 
Andrew Bartlett 


> ATTACHMENT part 2 application/pgp-signature name=signature.asc

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the samba-technical mailing list