Ethereal-dev: Re: [Ethereal-dev] dcerpc patch, request-response matching update and persis

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 20 Jan 2002 15:14:58 -0800
On Fri, Jan 18, 2002 at 11:28:29PM +1100, Ronnie Sahlberg wrote:
> Attached is a patch for dcerpc.
> It extends the existing feature where responses are matched to requests (and
> fixes a bug in it)
> so one can match requests->responses as well.
> It also restructures the stored value structures slightly to make this work.

It also appears to, in at least one capture I have, to pick the wrong
subprotocol.

In that capture, there's an SMB session with LSA (Local Security
Architecture) and NETLOGON calls.

The traffic on that session includes:

	an NT Create AndX opening \lsarpc, returning FID 0x4004;

	a DCERPC Bind, on FID 0x4004, of an interface UUID of
	12345778-1234-abcd-ef00-0123456789ab, which is LSA, and a Bind
	ack;

	some LSA calls on FID 0x4004;

	a close of FID 0x4004;

	an NT Create AndX opening \NETLOGON, returning FID 0x4005;

	a DCERPC bind, on FID 0x4005, of an interface UUID of
	12345678-1234-abcd-ef00-01234567cffb, which is NETLOGON, and a
	Bind ack;

	some NETLOGON calls on FID 0x4005 - which are incorrectly
	dissected as LSA calls, instead (the version without your patch
	dissects them as NETLOGON calls.

Perhaps there's some state your new code is maintaining that's being
maintained on a per-connection basis rather than on a
per-connection-and-FID basis?