Hi,
Attached is a work in progress for reassembly of DCERPC over SMB.
This should not go in CVS now, but if someone could test it (Tim?)
I would be happy. It looks reasonably good on my side, but I cant dissect
the content of
the DCERPC calls so I dont know if the data is good.
The patch applies to CVS as of a few days ago, one might need to apply it
manually
to current CVS but the patch is small and it should not be too difficult.
current faults:
1, there is a memory leak in packet-smb.c in that it just drops all fragment
tables upon
rescanning the packets insteadof freeing the reassembly data.
(hey its a test version, not production)
2, DCERPC over SMB reassembly is ON by default
3, you need to apply an empty displayfilter first before the COL_INFO stuff
is updated
4, It only handles responses. Well it only reassembles ReadAndX calls and
not any WriteAndX
calls.
If Tim could test it with his dissectors for msrpc that would be great.
Also, if someone has DCERPC over SMB requests which are fragmented
(and uses WriteAndX?) I would be delighted for a capture so I can implement
that as well.
best regards
ronnie sahlberg
Attachment:
smb_patch.diff.gz
Description: GNU Zip compressed data