> If a trace has a mixture of NetBIOS name lookup and DNS lookups, esp from
> Win9X machines, the DNS lookup requests will be dissected as NetBIOS name
> requests.
>
> This is because Win9X is stupid enough to send the requests from port 137.
>
> However, Ethereal gets the responses correct!
>
> Since Win9X uses ports below 1024 for both the source and destination,
this
> seems like a problem.
>
> The problem seems to be caused because dissect_udp tries to find a
> dissector based on the source port first, and then the destination port,
> and NetBIOS name requests look like DNS requests, except the format of
> names are slightly different.
I have seen this. The problem is exactly as you described it. Now how do
we
get around it:
1) Change DNS and WINS to heuristic dissectors.
2) Change the table dissector lookups and have all dissectors return true
if they dissect the conversation, otherwise return false. Then
dissector_try_port would find the dissector based upon the destination
port if the source port fails. Of course dissect_nbns would return false
for
packets that didn't go from port 137 to port 137.
3) Change conversation code to allow a wildcard host on both source and
destination. Then create a conversation between source and destination
ports 137 with set the dissector to dissect_nbns and remove the UDP port
registration for dissect_nbns. This conversation would be create in the
init_all_protocols routine, or somewhere around there.
4) Have DNS register it's dissector on both ports (53&137) and call
dissect_nbns if the traffic isn't to port 53.
5) Have WINS register it's dissector on both ports (53&137) and call
dissect_dns if the traffic isn't from port 137 to port 137.
I think option 4 is the best.
Jeff Foster.
jfoste@xxxxxxxxxxxx