Hi List!
I'm having problems with DCE-RPC over UDP (connectionless)
conversations. I have a capture file, which incorrectly displays some
fragments as related, which are not related at all.
Having a look into the sources, I found the following comment
(packet-dcerpc.c line 4450, function dissect_dcerpc_dg):
/*
* keeping track of the conversation shouldn't really be necessary
* for connectionless packets, because everything we need to know
* to dissect is in the header for each packet. Unfortunately,
* Microsoft's implementation is buggy and often puts the
* completely wrong if_id in the header. go figure. So, keep
* track of the seqnum and use that if possible. Note: that's not
* completely correct. It should really be done based on both the
* activity_id and seqnum. I haven't seen anywhere that it would
* make a difference, but for future reference...
*/
.. and now the time has come?
Could someone give me a helping hand, how this should be implemented?
Maybe add an activity_id value to the dcerpc_call_key?
As mentioned, I have a capture which shows the problem (around 60KB), if
someone is interested.
Regards, ULFL