Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] RPC/NFS reassembly across frames

From: "Scheffenegger, Richard" <rs@xxxxxxxxxx>
Date: Thu, 20 Oct 2011 09:33:33 +0100
Hi,

 

I have got a trace of a dNFS (Oracle) exchange using Jumbo Frames. In
it, there are 5 consecutive jumbo tcp frames, each obviously containing
around 60 or 61 RPC/NFS requests (~148 bytes/call) stacked back-to-back.
However, Wireshare 1.7.0-SVN 39487 would only decode the initial Frame,
despite having enabled

 

TCP: Allow subdissector to reassemble TCP streams

RPC: Reassemble RPC over TCP messages spanning multiple TCP segments

         Reassemble fragmented RPC-over-TCP messages

         Attempt to locate start-of-fragement in partial RPC-over-TCP
captures

 

A small number of subsequent segments are disassembled only as "RPC -
Continuation data".

 

This is then followed by "TCP segment of a reassembled PDU", but the
actual RPC/NFS contents are not decoded in the trace by wireshark.

 

I suspect that this is because there is no delineation of RPC calls with
TCP segment boundaries when running dNFS, and perhaps the reassembly
buffer is overflowing?

 

Please let me know if you'd like to poke in the traces to address this!

 

Thanks,

 

Richard Scheffenegger




<<winmail.dat>>