[Tim Potter <tpot@xxxxxxxxx>]

On Wed, Nov 28, 2001 at 12:51:59PM +0000, Pia Sahlberg wrote:

> Hi Tim, Hi list
> 
> In what way does it not work?
> add_fid() should show the smb.fid field in the tree for anyone
> calling it, including when called for TransactNmPipe.
> I assume you can actually see the smb.fid thingy in the tree but that 
> display filters fails to see it?

Yes that's correct.  Sorry I wasn't more clear - I was just about to
head off to bed.

If I have a msrpc transaction and enter in "smb.fid == 0x4001" then
the smbtrans request and replies do not show up in the filter display.

> If that is the case, then I have seen it before (for example for nfs 
> filehandles, which are also displayed by NLM and Mount dissectors):
> smb_fid  is declared in the SMB protocol dissector and tied to proto_smb.
> If you would call add_fid() form somewhere else, outside of the dissector 
> for proto_smb, as in say proto_pipe or whatever the smb-pipe
> dissector is called, then the displayfilter thingy will not find
> smb.fid.
> I assume this is some optimization, if dissecting in the tree under the 
> protocol branch: proto_pipe, then ONLY check hf_index entries
> registred for proto_pipe and ignore anything else.

But if I type in "smb" as a filter string (a good trick btw) I get
all smbs and all msrpc transactions.  By your reasoning above I should
only get the SMB transactions and not the msrpc ones?


Tim.