Wireshark · Ethereal-dev: Re: [Ethereal-dev] Dissection of file data in Write AndX Request message

["Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>]

----- Original Message -----
From: "Guy Harris"
Sent: Wednesday, December 04, 2002 3:01 PM
Subject: Re: [Ethereal-dev] Dissection of file data in Write AndX Request
message


> On Tue, Dec 03, 2002 at 10:47:35PM -0500, dheitmueller wrote:
> > Is there any way to get Ethereal to interpret the "file data" field as
> > DCE/RPC?
>
> Yes.
>
> Fix the bug that's causing it not to realize that the write is to a pipe
> over which DCE RPC stuff is being done. :-)
>
> See the "is this part of DCERPC over SMB reassembly?" code in
> "dissect_write_andx_request()"; it appears that the hash table lookup in
> the "si->ct->dcerpc_fid_to_frame" table isn't finding anything.
>
> I *suspect* the problem is that it's expecting the first part of a DCE
> RPC-over-SMB call to be in an Transaction SMB; however, in this case we
> have:

I need to look at the source but I think ethereal can dissect SMBWriteAndX
as DCERPC even if it is not
part of something that starts with a Transaction.
However, I think i remember something like it will ONLY consider the data in
Read/Write as part
of DCERPC PDUs if and only if the TID was mounted with a TreeConnect for
type IPC.

If the TreeConnect can not be seen in the capture, ethereal fails to decode
it as DCERPC.


Perhaps the heuristics used to consider the data in Read/Write as DCERPC to
loosen this
requirement and set up something similar when it sees DCERPC in Transaction
calls
the same way as if it has seen the previous TreeConnect call.


I can look into it but not until the weekend.
If someone else wants to fix this ethereal bug, please go ahead.