I'm trying to write a dissector to decode "MAPI Extended" over DCE/RPC.
From my reading I believe that I need to register my dissector with the "dcerpc" DissectorTable.
I found in the dcerpc code a comment reading "XXX - DCE/RPC doesn't have a true (sub)dissector table, so provide a "fake" one to fit the Decode As algorithm". This leads me to believe that I register my dissector like this:
However when launching tshark or wireshark I get the error:
asked 07 Jul '15, 13:45
edited 07 Jul '15, 14:58
Guy Harris ♦♦
My recommendation is that you don't try to write it in Lua.
The types of "true" dissector tables in Wireshark either switch off of an integral value or a string value. DCE/RPC protocols must register using a UUID, and they require a bunch of individual operation dissectors to be registered, not just a single dissector.
So DCE/RPC dissectors (and ONC RPC dissectors) are quite different, when it comes to registration, from "regular" dissectors, and we don't have support for Lua DCE/RPC (or ONC RPC) dissectors, and are unlikely to have them in the near future (it'd be a significant amount of work).
The good news is that Samba has a DCE/RPC IDL (I think it's more like Microsoft's IDL than the OSF's IDL, although Microsoft's might have been at least influenced by OSF's) and a tool to generate Samba code and Wireshark dissectors from it. You should look at getting an IDL description of Extended MAPI, converting it to PIDL form, and using the PIDL tool to generate the dissector. The bad news is that you'll need to compile code; the good news is that you probably won't have to write most of that code - the PIDL tool should do that for you.
answered 07 Jul '15, 14:57
Guy Harris ♦♦