About

There is a wip dissector for the windows search protocol from gregor beck, I have used it, it's nice but it is missing some things I need. I have no idea about wireshark dissectors, I would like to hack on this and make it more useful to me,

GOAL

To learn about wireshark to improve the dissector for the wsp protocol that I am trying to learn about in some spare cycles.

Results

  1. First explored trying to use samba's existing support from the pidl compiler to produce a dissector. The already existing idl that I previously created for the WSP protocol didn't play well with the pidl dissector generation code. Looking at the code generated for simpler idl constructs made my think even if I managed to make it work that the results wouldn't be satisfying. Mainly it seems to me that the pidl generated code doesn't offer any separation between the presentation and unmarshalling of the protocol data, display of such 'raw' data in the dissector imho wouldn't be very useful. (but perhaps this might itself make in interesting hackweek project)
  2. Secondly wrote some hacky tooling to extract a further 181 property sets from the msdn documentation thus increasing the property description coverage of the existing dissector by a further 290 or so descriptions.
  3. Thirdly my main goal, this was to actually be dissect the main results response message which currently is not dissected at all

CPMGetRows message response before hackweek

results pre hackweek

CPMGetRows message response after hackweek

results post hackweek 4. Fourthly found and fixed bug where the existing dissector fails to process SMB2 Read Response and Write Requests which can carry WSP messages

request containing ignored WSP messages before hackweek

ignored

request containing WSP messages now handled after hackweek

ignored

Conclusion

Great to have the opportunity to hack on something for fun, learn about the innards or something you use, and beat it into being more useful for your own (and hopefully others) purposes.

Patches are available from my repo

Looking for mad skills in:

Nothing? Add some keywords!

This project is part of:

Hack Week 11

Activity

  • almost 5 years ago: dmdiss liked Wireshark hacking
  • almost 5 years ago: npower originated Wireshark hacking
  • Show History

    Comments

    Be the first to comment!

    Similar Projects

    This project is one of its kind!