I have been patiently waiting for the results of the rewritten NCP
decoder in Ethereal 0.9.4, and have tested it today. It is
quite good but there are 2 problems I've noticed:
1) I've always had trouble with decoding NCP over IP packets (we're very
soon going to be a Pure IP shop). It turns out that Ethereal is not
properly decoding packets with packet signatures enabled. There's an
extra 8 bytes between the NCP over IP reply Buffer size field and the
actual start of the NCP packet (this is determined by looking for an
0x2222 or 0x3333 as appropriate in the packet data), and assuming the
NCP type header is immediately after the NCP over IP Reply Buffer Size
information, instead of the signature. Once the offset is shifted it
cannot decode the packets at all, reporting them as Unknown Types. I
have verified this by turning off packet signatures and
get good decoding information, except for the problem in the next item.
2) NCP over IP will use burst mode to to large transfers (program and
data files in bulk) and these are identified as NCP packets but have
little or no header data, so again the packet type is unknown. This is
a minor problem though, because it's clear in the trace what's going on
(there's an NCP open file request, a bunch of large packets with TCP
ACKs from the server, then an NCP close file request.)
These seem like small issues, and I figured the rewrite of the
dissector would handle it. I will gladly provide dumps and testing to
help fix this problem, and if there are resources people are aware of to
fully document the NCP over IP packet structures, I'll do it. My
initial testing seems to indicate that packet decodes of NCP over IPX
are accurate.
--Mike
Mike Richichi
Assistant Director of Academic Technology, Drew University
mailto:mrichich@xxxxxxxx, http://www.users.drew.edu/~mrichich/