This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Getting UUID Name

0

I wonder how getting UUID name works at Wireshark. I am working with following pcap file:

https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=dcerpc_witness.pcapng

I debug the code, and I think the responsible file is file:

epan\dissectors\packet-dcerpc-epm.c

Responsible Line is line 349:

uuid_name = guids_get_uuid_name(&uuid);

I check Frame 223: Tower Pointer -> Floor 1 UUID: WITNESS -> UUID: WITNESS

I don't understand how Line 349 found name of the UUID as "WITNESS"

For example, let me change this number "ccd8c074-d0e5-4a40-92b4-d074faa6ba28" from "WITNESS" to "SOMETHINGANOTHER" (It is completely an idea, I will not change anything about this UUID)

How can I do this?

asked 25 May '16, 03:47

BirolCapa's gravatar image

BirolCapa
309915
accept rate: 0%


One Answer:

1

guids_get_uuid_name is a macro (in epan/guid-utils.h) that calls guids_get_guid_name which is defined in epan/guid-utils.c.

That function attempts to look the guid up in the guid name cache built from the capture, and if that fails, on Windows only, attempts to locate the interface name in the registry.

answered 25 May '16, 04:30

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thank you for the answer Graham.

How is "guid name cache" built?

Let's look at the file "epan\dissectors\packet-dcerpc-witness.c". As far as I understand, "dcerpc_init_uuid(...)" function adds the name of the UUID to guid name cache by using "proto_dcerpc_witness" parameter. Am I right?

(25 May '16, 04:45) BirolCapa
1

I think so, it's the call to guids_add_uuid which is a macro that calls guids_add_guid.

(25 May '16, 05:31) grahamb ♦