Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Is there a try ... finally structure for handling exceptions in

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Sun, 10 Jun 2012 21:06:52 -0700
Hi,

I have a capture that contains an SMB NT TRANS SET SEC DESCRIPTOR request.

The SMB request is spread across multiple TCP segments (ethernet
frames all), but because of heuristic dissector weirdness with respect
to NetBIOS PDUs, the segments are not reassembled. (However, in the
real world, we might not have captured some of the subsequent packets
anyway.)

This screws up the dissection of the SD because the self-relative SD
format has a series of pointers to the various portions (Owner SID,
Group SID, SACL and DACL), but the Owner SID and Group SID come last,
typically with the DACL being first.

Because it is logical to place the Owner SID and Group SID first in
the tree, these are dissected first, but will throw exceptions because
some or all of them is not available in this case. This causes the
whole SD to be undissected and it shows up as "Unreassembled Packet:
SMB" in the dissection.

What I would rather do is wrap the dissection of each of the Owner and
Group SIDs in a try ... finally block and insert messages about them
not being available so we can try to dissect more of the information
that is actually there (ie, the DACL.)

Of course, I will also investigate why the whole SMB request has not
been reassembled.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)