Tim Potter <tpot@xxxxxxxxx> writes:
> Hi everyone. Here's another msrpc patch. Microsoft DCERPC over SMB
> allows more than one DCERPC connection to be open over a single TCP/IP
> socket. Unfortunately there is no information in the DCERPC header
> to determine which bind a particular request belongs to. This
> information is the fid returned by the ntcreate&x and sent in the
> smbtrans header.
>
> I've added an extra entry to the conversation hash key which should
> be zero for non-MSRPC DCERPC calls but set to the fid for MSRPC.
> Hopefully I've done this in a nice transport independent way (I
> alluded to this in my last message to the list) without making
> the dcerpc dissector too ugly.
>
> Guy, Ronnie, I would appreciate your input on this.
>
I'm glad to see someone getting this working, but wouldn't it be
cleaner to have the SMB layer add this to the conversation info for
the packet? I.e., add a port_type PT_SMB, and have the FID be either
src or dest port (both?), or something along those lines. Then the
dcerpc layer shouldn't need to be modified at all because of its use
of find_conversation, and it would be available to other dissectors,
should they ever need it. This is what was suggested to me when I
first mentioned this problem, but I never found the time to do it.
Todd