On Fri, Jan 18, 2002 at 11:28:29PM +1100, Ronnie Sahlberg wrote:
> Attached is a patch for dcerpc.
> It extends the existing feature where responses are matched to requests (and
> fixes a bug in it)
> so one can match requests->responses as well.
> It also restructures the stored value structures slightly to make this work.
It also appears to, in at least one capture I have, to pick the wrong
subprotocol.
In that capture, there's an SMB session with LSA (Local Security
Architecture) and NETLOGON calls.
The traffic on that session includes:
an NT Create AndX opening \lsarpc, returning FID 0x4004;
a DCERPC Bind, on FID 0x4004, of an interface UUID of
12345778-1234-abcd-ef00-0123456789ab, which is LSA, and a Bind
ack;
some LSA calls on FID 0x4004;
a close of FID 0x4004;
an NT Create AndX opening \NETLOGON, returning FID 0x4005;
a DCERPC bind, on FID 0x4005, of an interface UUID of
12345678-1234-abcd-ef00-01234567cffb, which is NETLOGON, and a
Bind ack;
some NETLOGON calls on FID 0x4005 - which are incorrectly
dissected as LSA calls, instead (the version without your patch
dissects them as NETLOGON calls.
Perhaps there's some state your new code is maintaining that's being
maintained on a per-connection basis rather than on a
per-connection-and-FID basis?