Wireshark-bugs: [Wireshark-bugs] [Bug 1392] RPC portmap classification switched to TCP after fil

Date: Sat, 24 Feb 2007 14:16:05 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1392


ulf.lamping@xxxxxx changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|packet protocol             |RPC portmap classification
                   |classification switched on  |switched to TCP after
                   |the fly                     |filtering




------- Comment #2 from ulf.lamping@xxxxxx  2007-02-24 14:16 GMT -------
First some background:
The packets are dissected sequentially from the first to the last. Context
information (e.g. infos about TCP segmentation) is build internally while
dissecting the packets. So a dissector will know less initially dissecting the
first packets than later on. 

If you apply a filter, the packets will be redissected - but the context
information is already available from dissecting the first packet.

So yes, if you redissect the packets a dissector may display different things
than in the first run - that's not a bug, that's a feature ;-)

However, the dissector should display more detailed - not less as in your case
- and that's a bug ;-)


About your capture:
Packet #6 is initially dissected as:
 "Portmap       V2 DUMP Call"

This is the last (only) fragment of an ONC RPC call.
Although this is the last (only) fragment, the packet content itself is NOT
dissected - which is probably the root of the problem.

After filtering (e.g. Follow TCP Stream), the same packet is dissected as:
"TCP    3289 > 111 [PSH, ACK] Seq=1 Ack=1 Win=5840 Len=44 ..."
Interestingly, the packet content is still marked as "Remote Procedure Call
Fragment" - without further dissection of the content.


So in the end, this seems to be a problem in the RPC portmap dissection Dump
call problem, but I'm not an ONC RPC expert. It just results in less detailed
dissection the second run :-(

I've changed the summary accordingly, but can't help your here ...


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.