-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is a patch to create a new var that can be used to be able to filter
on unknown dcerpcs.
- -- packet-dcerpc.c 2004-02-15 10:45:28.151207280 -0600
+++ packet-dcerpc.c 2004-02-15 10:39:55.574766584 -0600
@@ -386,6 +386,7 @@
static int hf_dcerpc_fragment_too_long_fragment = -1;
static int hf_dcerpc_fragment_error = -1;
static int hf_dcerpc_reassembled_in = -1;
+static int hf_dcerpc_unknown_if_id = -1;
static gint ett_dcerpc = -1;
static gint ett_dcerpc_cn_flags = -1;
@@ -3665,6 +3666,7 @@
if(hdr->frag_num == 0) {
+ proto_tree_add_boolean_hidden(dcerpc_tree, hf_dcerpc_unknown_if_id,
tvb, offset, 0, TRUE);
if (check_col (pinfo->cinfo, COL_INFO))
col_append_fstr (pinfo->cinfo, COL_INFO, " UNKUUID: %08x-%04x-%04x-%02x%02x-
%02x%02x%02x%02x%02x%02x rpcver: %u",
di->call_data->uuid.Data1, di->call_data->uuid.Data2, di->call_data->uuid.Data3,
di->call_data->uuid.Data4[0],
@@ -4515,6 +4517,8 @@
{ "Time from request", "dcerpc.time", FT_RELATIVE_TIME, BASE_NONE, NULL,
0, "Time between Request and Reply for DCE-RPC calls", HFILL }},
{ &hf_dcerpc_reassembled_in,
{ "This PDU is reassembled in", "dcerpc.reassembled_in", FT_FRAMENUM,
BASE_NONE, NULL, 0x0, "The DCE/RPC PDU is completely reassembled in
this frame", HFILL }},
+ { &hf_dcerpc_unknown_if_id,
+ { "Unknown DCERPC interface id", "dcerpc.unknown_if_id", FT_BOOLEAN,
BASE_NONE, NULL, 0x0, "", HFILL }},
};
static gint *ett[] = {
&ett_dcerpc,
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAkAvuNYACgkQFh/Ot+gyoF4l3wCfZumwe9TmkjX+/9JA4Ehdcqyr73AA
niVqZtoDJLqSN9UBhkAS6n2viKl5
=8hH+
-----END PGP SIGNATURE-----