I think the optimal would be if a DCERPC packet was selected
then Tools/DecodeAs one could select any of the protocols that
were registered atop DCERPC for that conversation/contextid
----- Original Message -----
From: "Tim Potter"
Sent: Thursday, October 09, 2003 2:16 PM
Subject: Re: [Ethereal-dev] Missing UUID inference
> On Wed, Oct 08, 2003 at 07:19:07PM -0700, Eric Wedel wrote:
>
> > We just had a field case where the customer seemed unable to obtain full
> > traces. Instead, they kept giving us traces where the DCERPC bind had
> > happened sometime earlier, so ethereal didn't know how to interpret
> > subsequent traffic.
> >
> > Looked through 0.9.15, and couldn't see any option to force the UUID.
So I
> > knocked together a little hack to guess the UUID when a request is seen
> > whose conversation doesn't have a known binding. Patch is attached for
your
> > amusement.
>
> It would be nice to be able to select from a list of known uuids I think.
>
> > discussion, not sure if this idea has been considered before. I can
tell
> > you that when you need it, this is *very* helpful. :-)
>
> Yep. Especially from customer traces where they haven't started capturing
> early enough or for long running dcerpc processes where it wouldn't
> be practical.
>
> It should actually be possible to make the subdissectors heuristic as
there
> should only be one (or maybe one or two) that dissects a given packet
> properly. That would be neat.
>
>
> Tim.
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>