Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 2125] DCE RPC fragments are reassembled wrongly

Date: Mon, 14 Jan 2008 14:44:22 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2125





------- Comment #3 from yamisoe@xxxxxxxxx  2008-01-14 14:44 GMT -------
I've analyzed this bug for both SVN Rev 22276, and SVN Rev 24088, and the later
one is the latest version.

For SVN Rev 22276, dissect_read_andx_response() does not set fid properly, but
this has been fixed in latest version.

However, the real problem is we only use source ip, destination ip, and 'id' as
the fragment key for DCE RPC, which is , I think, not enough.

(See the tcpdump I uploaded)
Packet 187, 185, 193 are reassembled together, but packet 187's destination
port is 33630, while the other two's is 33626. 

But I don't know if it is good to just modify reassemble.c :: struct
_fragment_key, or add one more fragment key definition. Therefore, I decide not
to give a patch here.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.