Ethereal-users: Re: [Ethereal-users] dcerpc.time Time duration Time from request

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 05 Sep 2004 12:51:19 -0700
Brad Wilson wrote:
Why don't all dcerpc packets have this available filter option.
Obviously request packets, and response packets where the request isn't in the capture, don't have that option.
The code adds that to response and fault packets; it currently doesn't add it to bind ack or alter ack packets, for example, because it currently doesn't keep track of bind and alter packets so that when a bind or alter ack packet is seen it can find the matching bind or alter packet. Request packets are kept track of because they're needed in order to dissect the response; that's not necessary for bind or alter packets, so nobody's written code to keep track of them. 


What I want to be able to do is create a filter to show
dcerpc.time >= 5.0 however this is not working for me.
It's not finding packets even though there are packets where the request and response are in the capture and there's more than 5 seconds between them? If so, does it fully dissect the response (indicating that it successfully matched the response with the matching request)?