[Tim Potter <tpot@xxxxxxxxx>]

On Wed, Oct 08, 2003 at 07:19:07PM -0700, Eric Wedel wrote:

> We just had a field case where the customer seemed unable to obtain full
> traces.  Instead, they kept giving us traces where the DCERPC bind had
> happened sometime earlier, so ethereal didn't know how to interpret
> subsequent traffic.
>  
> Looked through 0.9.15, and couldn't see any option to force the UUID.  So I
> knocked together a little hack to guess the UUID when a request is seen
> whose conversation doesn't have a known binding.  Patch is attached for your
> amusement.

It would be nice to be able to select from a list of known uuids I think.

> discussion, not sure if this idea has been considered before.  I can tell
> you that when you need it, this is *very* helpful.  :-)

Yep.  Especially from customer traces where they haven't started capturing
early enough or for long running dcerpc processes where it wouldn't
be practical.

It should actually be possible to make the subdissectors heuristic as there
should only be one (or maybe one or two) that dissects a given packet 
properly.  That would be neat.


Tim.