[Tim Potter <tpot@xxxxxxxxx>]

On Fri, Oct 24, 2003 at 07:40:31PM -0700, Eric Wedel wrote:

> Regarding option (1), it seems the DCE/RPC subdissectors are not presently
> structured to provide a go/no-go sort of response.  They merely return an
> offset indicating how much of the packet they "consumed."  Consumed in
> quotes since at least some of the NDR parsing seems to advance the offset
> regardless of whether the data is valid.  So it doesn't even seem practical
> to use the offset output to decide whether a dissector likes a packet.

I started down the path of implementing this a few weeks ago.  The idea
was to iterate over every dcerpc dissector we know about, and call the
correct subdissector within a TRY{} block.  If a BoundsError exception
was called or there was leftover data then the pipe is the wrong one.

This is basically what a heuristic dissector does.  I was calling these
guys in a loop, but perhaps a whole bunch of heuristic dissectors could
be registered and it might happen automatically or with a preference.

> At this point, it seems like the best approach would be a custom dialog
> linked from a button on the DCE/RPC preferences pane.  The present generic
> preferences machinery used by the dissectors doesn't seem to support this.

I think it would be neat to have an automatic method and a DecodeAs or
similar interface.


Tim.