Ask Your Question
0

MAPI dissector - extend or create?

asked 2022-04-06 06:36:59 +0000

D157 gravatar image

The MAPI dissector asserts "Exchange 5.5 EMSMDB". Exchange 5.5 was the Win NT 4.0 version, but somewhere in there is a reference to Exchange 2003, and the the dissector is dated 2006 ~ 2007.

But it's not working well with my copy of Win10, and doesn't seem to match the MS MAPI documentation. In particular "static dcerpc_sub_dissector mapi_dissectors[] " only maps opnums from 0 to 9 --- most of which are depreciated -- and doesn't include 10, 11 and 14, which were the opnums used since whenever (MAPI 2 ~ MAPI 23, as documented in MS-OXCRPC 3.14).

It seems to me that the existing MAPI dissector could be extended a bit without breaking anything, but would that be a wrong approach?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-04-06 07:55:34 +0000

grahamb gravatar image

Firstly a rant, not aimed at the OP but generally for all, this site is maintained by volunteers that help by keeping it tidy and hopefully providing useful answers. The site also relies on those posting questions to help out by accepting answers to questions as this indicates to others that may have the same question an answer was helpful. Unfortunately many of those posting questions fail to help out in this way and then go on to seek further help from the volunteers.

As noted in my answer to your previous question the MAPI dissector is generated from the MAPI IDL file using PIDL. To update the dissector, a newer IDL file will be required and that may also require changes\additions to the MAPI cnf file and that will then allow a new dissector to be generated.

Note the current IDL file came from the OpenChange project, an open source replacement for Exchange which doesn't appear to have been updated for some time.

Of course, feel free to modify the generated dissector by hand in your local build but that won't be acceptable for inclusion back into the main project, as a generated dissector from an authoritative source is much preferred.

edit flag offensive delete link more

Comments

Well, I'm glad that I was able to give you an opportunity to get that off your chest, and pleased that it wasn't relevant to this question, since I had already accepted the answer, at the same time cleaning up several repeat postings, which the system had saved up and posted when it let me login -- either there is some undocumented password restriction or the system is having problems with logins. The upvote and acceptance seems to have gone to same place. Maybe I didn't have enough points to accept an answer? -- perhaps it too will re-appear later. Anyway, back to the question:

Are you saying that a change to the idl will be unwelcome? And that new idls will be similarly unwelcome? Because I am not a defunct software organization? If so, I won't get bent out of shape, it's good to have that ...(more)

D157 gravatar imageD157 ( 2022-04-06 11:13:08 +0000 )edit

What I meant was that hand-coded changes to the dissector (mapi.c) would be difficult to accept as any "regeneration" of the dissector from the IDL would overwrite those changes.

The options to improve MAPI dissection are:

  1. Obtain a more up to date IDL file, ideally from Microsoft if the license permits it, and use that, possibly with a new cnf file, to generate a new dissector.
  2. Replace the existing dissector with an entirely new hand-coded MAPI dissector. Apart from being a big task, there might be some reluctance to accept this into the project as a hand-coded dissector can require much more maintenance and may not be as "accurate" as a generated one.

The aim with all dissector updates is to improve things and if at all possible don't break existing functionality.

grahamb gravatar imagegrahamb ( 2022-04-06 11:39:17 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-04-06 06:36:59 +0000

Seen: 32 times

Last updated: Apr 06