[PATCH] Outlook anywhere: ncacn_http support
Julien Kerihuel
j.kerihuel at openchange.org
Sun Dec 5 15:22:10 MST 2010
Hi Lists,
I've just finished to write a ncacn_http dissector for Wireshark which
provides the ability to dissect Outlook anywhere packets properly (as
specified by [MS-RPCH].pdf documentation.
I have attached to this email all the material needed to test the patch:
- stunnel.pem: the SSL RSA key to use to decrypt SSL'd capture
- sample_outlook_anywhere_ssl.pcap: the capture with SSL enabled
and including RTS + nspi, rfr, mapi packets
- sample_outlook_anywhere_not_ssl.pcap: the capture performed on
lo without SSL enabled and filtered to show only RTS packets.
Relevant RTS packets can be displayed using (dcerpc.pkt_type == 20)
filter.
The patch also adds some fuzzy naming on RTS packets given MS-RPCH
specifications. They define these PDU body through the flags, number of
commands fields and command sequences.
FYI, this capture was done between Outlook 2010 and Exchange 2010 using
a local SSL proxy to avoid Diffie-Hellman algorithm usage (default with
Exchange 2010).
In this scenario:
- 192.168.0.120 is the Outlook 2010 client
- 192.168.0.103 is the SSL proxy
I have also added to the email the dcerpc.idl patch for Samba4 which
adds the associated IDL for RTS support:
00001-Add-ncacn_http-RTS-IDL-implementation-in-dcerpc.idl.patch
It probably doesn't respect the Samba4 usual naming convention, but I
thought it would be more useful under this form so you can turn fields
to any names you prefer.
Kind Regards,
Julien.
--
Julien Kerihuel
j.kerihuel at openchange.org
OpenChange Project Manager/Developer/Maintainer
GPG Fingerprint: 0B55 783D A781 6329 108A B609 7EF6 FE11 A35F 1F79
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wireshark_ncacn_http_support.diff
Type: text/x-patch
Size: 23374 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101205/8746e81e/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel.pem
Type: application/x-x509-ca-cert
Size: 1804 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101205/8746e81e/attachment-0001.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sample_outlook_anywhere_not_ssl.pcap
Type: application/octet-stream
Size: 2840 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101205/8746e81e/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sample_outlook_anywhere_ssl.pcap
Type: application/octet-stream
Size: 154008 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101205/8746e81e/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-ncacn_http-RTS-IDL-implementation-in-dcerpc.idl.patch
Type: text/x-patch
Size: 6184 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101205/8746e81e/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101205/8746e81e/attachment-0001.pgp>
More information about the samba-technical
mailing list