[Devin Heitmueller <dheitmueller@xxxxxxxxxxx>]

You are correct.

Wow, what a pain.  It's surprising how much you have to know about the
protocol in order to get Ethereal to dissect it properly.  It's a
catch-22  -- you have to understand the protocol in order to know how to
setup the dissector, but many people use the dissector to learn the how
the protocol works.

Perhaps a FAQ item or something in the documentation might save some
traffic on the mailing list.

Ok, I'll get off my soapbox now.

Thanks for your help,

Devin

On Fri, 2002-11-08 at 14:58, Ronnie Sahlberg wrote:
> 
> From: "Devin Heitmueller"
> Sent: Saturday, November 09, 2002 6:33 AM
> Subject: Re: [Ethereal-dev] Support SMBreadX in SAMR calls
> 
> 
> > The trace is attached.
> >
> > The problem starts at packet 103.  With the "Reassemble DCERPC over SMB"
> > option disabled, the frame is shown as a LookupRIDs request (although it
> > reports as a short frame).  If "Reassemble DCERPC over SMB" is enabled,
> > it is only shown as a DCE Request.
> >
> > Any feedback you can provide would be greatly appreciated.
> 
> The PDU is fragmented at the NBSS layer.
> When I enable :
>    NBSS/Desegment all NBSS ...
>    TCP/Allow subdissector ...
> 
> It reassembles fine.
> Packets 103,104,106,107,108,110 and 110 makes up
> one 8.8kb NBSS PDU that carries one SMB PDU.
> 
> The NBSS PDU is dissected in packet 111 and not 103 since 111 is the packet
> that completes the reassembly of the PDU.
> Reassembly of PDUs over TCP will always only dissect/display the PDU in the
> packet holding the last segment of the PDU, the segment where the PDU is
> completed.
> 
> 
> 
> 
-- 
Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc