On Sat, Mar 17, 2001 at 07:37:47PM -0500, Todd Sabin wrote:
> Attached is a new dissector for msrpc. I suppose it could also be
> called dcerpc, but I use it with MS stuff all the time, so that's what
> I've called it for now. If you want to rename it, that's fine with
> me.
I've checked it in as as a DCE RPC dissector, as "packet-dcerpc.c".
> I'm planning to add hand-offs to specific RPC protocols based on
> interface UUID and version. To do that in the TCP case, I'll need to
> keep track of what's happened earlier in a TCP stream. Am I right in
> thinking that's what the 'conversation' stuff I've seen is for?
The conversation stuff will help, as, for each packet, you'd try to see
if it belongs to an existing conversation and, if not, create a new
conversation, so you can determine to which TCP stream a packet belongs.
However, you'd still have to write your own code to actually keep track
of what happened in previous packets; the conversation code won't do
that for you.
See, for example, the ONC RPC code (packet-rpc.c), which uses the
conversation (TCP or UDP - or other protocol, were the ONC RPC dissector
to register itself as, say, a heuristic dissector atop the OSI transport
protocols) and the transaction ID (XID) as a key for requests and
responses, and which has its own hash table to let it find the request
to which a given reply corresponds (so it can find out the
program/version/procedure of the call - that information is in the call,
but not the reply, but it's needed in order to dissect the reply).