I'm trying to write a dissector to decode "MAPI Extended" over DCE/RPC. From my reading I believe that I need to register my dissector with the "dcerpc" DissectorTable. I found in the dcerpc code a comment reading "XXX - DCE/RPC doesn't have a true (sub)dissector table, so provide a "fake" one to fit the Decode As algorithm". This leads me to believe that I register my dissector like this: However when launching tshark or wireshark I get the error: Any Recommendations? asked 07 Jul '15, 13:45  techplex edited 07 Jul '15, 14:58  Guy Harris ♦♦ |
One Answer:
My recommendation is that you don't try to write it in Lua. The types of "true" dissector tables in Wireshark either switch off of an integral value or a string value. DCE/RPC protocols must register using a UUID, and they require a bunch of individual operation dissectors to be registered, not just a single dissector. So DCE/RPC dissectors (and ONC RPC dissectors) are quite different, when it comes to registration, from "regular" dissectors, and we don't have support for Lua DCE/RPC (or ONC RPC) dissectors, and are unlikely to have them in the near future (it'd be a significant amount of work). The good news is that Samba has a DCE/RPC IDL (I think it's more like Microsoft's IDL than the OSF's IDL, although Microsoft's might have been at least influenced by OSF's) and a tool to generate Samba code and Wireshark dissectors from it. You should look at getting an IDL description of Extended MAPI, converting it to PIDL form, and using the PIDL tool to generate the dissector. The bad news is that you'll need to compile code; the good news is that you probably won't have to write most of that code - the PIDL tool should do that for you. answered 07 Jul '15, 14:57 Guy Harris ♦♦ |
Sweet, sounds good. I think this is the IDL I need: https://msdn.microsoft.com/en-us/library/ee217991(v=exchg.80).aspx Do you think this is something that should be sent in as a patch? MAPI Extended is what Exchange/Outlook use today(if they aren't using MAPI/HTTP).
It's probably the right place to start, although you might have to modify it to make it a valid PIDL IDL file. See epan/dissectors/pidl for examples of PIDL files and the corresponding "conformance" files (the .cnf files).
If you get this working, please do submit it for inclusion in Wireshark. See the SubmittingPatches page for information on how to do so. If you have captures with which to test the page, file an enhancement request on the Wireshark Bugzilla for your new dissector, attach your captures to it, and, at the end of the commit message, put "Bug: {the bug number}", on a line by itself, after a blank line.