Wireshark-users: Re: [Wireshark-users] dcerpc.cn_call_id display filter problem when reassembled

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 31 May 2007 00:10:14 +0200
On Wed, May 30, 2007 at 03:34:29PM -0400, andre.noel@xxxxxxx wrote:
> 
> I captured DCERPC traffic and then I did a filter to isolate a particular call ID with that filter :   dcerpc.cn_call_id == 96
> 
> I went trough that problem:
> 
> When selecting the option "Allow subdissector to reassemble TCP streams" checked  the filter catches only the Request.
> 
> When deselecting the option "Allow subdissector to reassemble TCP streams"  the filter catches both the Request and
> 
> The Response.   The frame is identified as limited during capture but I know it's not, I did a full frame capture.

It looks like you do not have all tcp segments of the conversation in the
tracefile. The DCE_RPC dissector knows it needs some more data. When
"allow subdissector to reassemble TCP streams" is off, the first frame
is dissected with all the information that is available to it. Since it
does know that more data should come, hence it says something about the
captured bytes. I agree the message is a bit misleading.

Once you turn on "allow subdissector to reassemble TCP streams", the dissector
tries to collect the data it knows should be there. Unfortunately the data
is not there because some tcp-segments are missing. Therefor it does
not dissect the packet and the filter fails to see it...

The remedy is to collect all data of a conversation so that tcp-reassembly
is able to reconstruct all the higher-level PDU's :)

I hope this helps, Cheers,


Sake