Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] packet-rpc.c failing find rpc_call info when the capture file is

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Sun, 25 Apr 2021 18:59:13 -0700
Hi folks,

I have run across an interesting issue.

I took a capture using -C and -W to get some 30 or more capture files
with 30M each.

I then merged several of them towords the end to give me a 95MB
capture file. When I look at it I can see each response found and
matched to the previous request.

However, when I merged more of them to give me an approximately 700MB
capture file, the responses to quote a few are not dissected and show
up RPC continuations.

Using some debugging I have tracked it down to the following statement
not finding the correct conversation, it seems:

conversation = find_conversation_for_reply(pinfo);

Here is the logging I have added in the case that it works:

------------------------
xid = 0xd4e94d56 frame=146941   # This is for the request
Checking if we have a conv=0x7fbf96ae60c0 for XID=0xd4e94d56 frame=146941
Did we have an rpc_conv_info 0x7fbf96ae8750 for 0xd4e94d56 frame 146941
Did we find the call (nil) for 0xd4e94d56 for frame 146941
Storing 0x7fbf92184470 for 0xd4e94d56 for frame 146941
The XID=0xd4e94d56 for frame=146951  # This is for the reply
Found a conversation=0x7fbf96ae60c0 for XID=d4e94d56 frame=146951
Found rpc_conv_info=0x7fbf96ae8750 for XID=d4e94d56 frame=146951
Found rpc_call=0x7fbf92184470 for XID=d4e94d56 frame=146951
xid = 0xd4e94d56 frame=146951
-------------------------

Notice that we found the same conversation in the case of both the
request and the response. (I am logging when I see a specific XID.)

Here is what I see in the case of the larger merged capture file:

--------------------------
xid = 0xd4e94d56 frame=524451  # This is for the request
Checking if we have a conv=0x7f20b1022ce0 for XID=0xd4e94d56 frame=524451
Did we have an rpc_conv_info 0x7f20b1025500 for 0xd4e94d56 frame 524451
Did we find the call (nil) for 0xd4e94d56 for frame 524451
Storing 0x7f20ac71a4a0 for 0xd4e94d56 for frame 524451
The XID=0xd4e94d56 for frame=524461  # This is for the reply
Found a conversation=0x7f20bf051460 for XID=d4e94d56 frame=524461
Found rpc_conv_info=0x7f20bf052ce0 for XID=d4e94d56 frame=524461
------------------------------------

Notice there that in the second case it seems we found a different
conversation for the reply ...

I am trying to figure out why we did not find the correct conversation
with the large capture file.

If anyone has ideas I would be interested in hearing from you.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)