Wireshark · Ethereal-dev: Re: [Ethereal-dev] Dissection of file data in Write AndX Request message

[Guy Harris <gharris@xxxxxxxxx>]

On Wed, Dec 04, 2002 at 03:06:28PM +1100, Tim Potter wrote:
> I'd have to look in luke's book to make sure though.

Look at the top of page 37, in particular:

	... A client can issue an SMBwriteX call to transfer:

	   o A DCE/RPC PDU request fragment that is larger than an
	     SMBtrans request can contain.

	   o Continuation of Bind/Bind Acknowledge Security Negotiation
	     where a response back is not expected, known as an AUTH3
	     PDU.  In three-way Authentication Negotiation, the Client
	     sends a Bind Request PDU; the Server sends a Bind
	     Acknowledge PDU; and the Client sends an AUTH3 PDU.

Earlier Luke says that the advantage of a Transaction request is that
the reply can contain data so that you can send the DCE/RPC reply in the
Transaction reply; however, an AUTH3 has no reply, so there's no
advantage to sending it in a Transaction request.

I forget whether any of the captures in which I've seen AUTH3's have it
in a DCE RPC-over-SMB session and, if so, whether any of them send the
AUTH3 in a Transaction request.

(BTW, should we remove the question mark from the "AUTH3" in the DCE RPC
dissector?  That is, I think, what Network Monitor calls that PDU.)