Ulf Lamping <ulf.lamping@xxxxxx> writes:
> Hi List!
>
> I'm having problems with DCE-RPC over UDP (connectionless)
> conversations. I have a capture file, which incorrectly displays some
> fragments as related, which are not related at all.
>
> Having a look into the sources, I found the following comment
> (packet-dcerpc.c line 4450, function dissect_dcerpc_dg):
>
> /*
> * keeping track of the conversation shouldn't really be necessary
> * for connectionless packets, because everything we need to know
> * to dissect is in the header for each packet. Unfortunately,
> * Microsoft's implementation is buggy and often puts the
> * completely wrong if_id in the header. go figure. So, keep
> * track of the seqnum and use that if possible. Note: that's not
> * completely correct. It should really be done based on both the
> * activity_id and seqnum. I haven't seen anywhere that it would
> * make a difference, but for future reference...
> */
>
> .. and now the time has come?
It would seem so. :)
> Could someone give me a helping hand, how this should be implemented?
>
> Maybe add an activity_id value to the dcerpc_call_key?
Yes, that should be sufficient, though it might be appropriate to
split the dcerpc_call_key into dcerpc_cn_call_key and
dcerpc_dg_call_key, and maintain separate hash tables for the
connection oriented and datagram calls.
> As mentioned, I have a capture which shows the problem (around 60KB),
> if someone is interested.
I'd be interested in having a look.
--
Todd Sabin <tsabin@xxxxxxxxxxxxx>