This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Lua Dissector for Extended MAPI over DCE/RPC

0

I'm trying to write a dissector to decode "MAPI Extended" over DCE/RPC.

From my reading I believe that I need to register my dissector with the "dcerpc" DissectorTable.

I found in the dcerpc code a comment reading "XXX - DCE/RPC doesn't have a true (sub)dissector table, so provide a "fake" one to fit the Decode As algorithm". This leads me to believe that I register my dissector like this:

local dis_table = DissectorTable.get("dcerpc.fake")

However when launching tshark or wireshark I get the error:

dis.lua:30: bad argument #1 to 'get' (DissectorTable_get: no such dissector_table)

Any Recommendations?

asked 07 Jul '15, 13:45

techplex's gravatar image

techplex
11226
accept rate: 0%

edited 07 Jul '15, 14:58

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

1

My recommendation is that you don't try to write it in Lua.

The types of "true" dissector tables in Wireshark either switch off of an integral value or a string value. DCE/RPC protocols must register using a UUID, and they require a bunch of individual operation dissectors to be registered, not just a single dissector.

So DCE/RPC dissectors (and ONC RPC dissectors) are quite different, when it comes to registration, from "regular" dissectors, and we don't have support for Lua DCE/RPC (or ONC RPC) dissectors, and are unlikely to have them in the near future (it'd be a significant amount of work).

The good news is that Samba has a DCE/RPC IDL (I think it's more like Microsoft's IDL than the OSF's IDL, although Microsoft's might have been at least influenced by OSF's) and a tool to generate Samba code and Wireshark dissectors from it. You should look at getting an IDL description of Extended MAPI, converting it to PIDL form, and using the PIDL tool to generate the dissector. The bad news is that you'll need to compile code; the good news is that you probably won't have to write most of that code - the PIDL tool should do that for you.

answered 07 Jul '15, 14:57

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Sweet, sounds good. I think this is the IDL I need: https://msdn.microsoft.com/en-us/library/ee217991(v=exchg.80).aspx Do you think this is something that should be sent in as a patch? MAPI Extended is what Exchange/Outlook use today(if they aren't using MAPI/HTTP).

(07 Jul '15, 15:08) techplex

It's probably the right place to start, although you might have to modify it to make it a valid PIDL IDL file. See epan/dissectors/pidl for examples of PIDL files and the corresponding "conformance" files (the .cnf files).

If you get this working, please do submit it for inclusion in Wireshark. See the SubmittingPatches page for information on how to do so. If you have captures with which to test the page, file an enhancement request on the Wireshark Bugzilla for your new dissector, attach your captures to it, and, at the end of the commit message, put "Bug: {the bug number}", on a line by itself, after a blank line.

(07 Jul '15, 15:48) Guy Harris ♦♦