Guy Harris <guy@xxxxxxxxxx> writes:
> > 2. modifies packet-nbns.c to use pass off netbios session packets to
> > heuristic dissectors, and packet-dcerpc.c registers itself there.
> > Most of the time, the layer directly above netbios session is SMB.
> > However, it's possible to do DCE/RPC directly on the netbios session
> > layer, with the ncacn_nb_tcp protseq.
>
> Will it always be the case that a given NetBIOS session will be SMB, or
> raw DCE RPC, or...? Or do you need to do heuristic checks on every
> packet?
>
AFAIK, yes.
> If you will always get the same type of traffic on a session, then we
> could expand the "conversation dissector" notion to allow multiple
> conversation dissectors, keyed by the calling protocol, and have the
> NBSS dissector call the appropriate conversation dissector if it's set,
> and do the heuristics *and* associate the matching dissector with the
> conversation (or have the called dissector do that) if it's not set.
>
> That way, the SMB dissector would report anything that doesn't being
> with 0xFF 'S' 'M' 'B' as a continuation, and other heuristic dissectors
> would do the same.
>
> (We do something similar for ONC RPC in the current CVS code.)
>
I believe I understand what you're saying, but I'm not seeing how it
would work. If a dissector is heuristic, then if it doesn't recognize
a frame (including, e.g., a nbss continuation frame) it isn't supposed
to dissect it. So what's been gained?
Maybe what we want is really just another flavor of defragmentation?
That is really what these NBSS continuation messages are, right? The
remains of a single NBSS message that didn't fit into a single TCP
packet?
Todd