https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3315
yami <yamisoe@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |yamisoe@xxxxxxxxx
--- Comment #6 from yami <yamisoe@xxxxxxxxx> 2009-05-30 20:27:21 PDT ---
(In reply to comment #3)
ils).
>
> Since the filter 'dnp3' will only show the frames with the reassembled data,
> saving only the displayed packets, so it will not save frame 135. However, in
> the new file, the original frame 137 can not be detected as dnp3, as the first
> part of the dnp3 data is missing. This is a result of how wireshark filters and
> re-assembles.
I once implemented a prototype to save all frames for a reassembled packet. At
that time, I want to deal with DCE RPC packets. But I can not find the code any
more. However some tips are:
1. we need to remember which frames a reassembled packet contains, including
indirect ones. For example, a reassembled DCE RPC PDU may contain several SMB
packets, and an SMB packet may contain several frames.
2. This issue can not solve all issues with saving displayed packets. For
example, after saving some displayed reassembled DCE RPC packets, after reopen
it, the user wants to see those DCE RPC packets as before, but only finds the
reassembling TCP and SMB packets. Because after saving, tree connection info
was lost, so Wireshark does not think they are DCE RPC PDUs.
Realizing the effect of saving displayed packets (the 2nd item), I decide not
to use the feature (i.e. saving displayed packets) any more.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
