Hi,
here are some more random thoughts on large NetBT messages.
The problem occurs when some platforms, like Win95 and WinNT send messages
that are larger than the MSS on a TCP connection. I am not sure if this
problem occurs with NetBEUI (I don't think it does) or NBIPX.
Win95 and WinNT sends file writes as blocks of 4096 and 4296 (it seems)
respectively. These go out as one NetBT message, in three segments.
So, what we need to be able to do, it seems, is track the NetBT messages.
Ie, when a TCP segment is received, and it is NetBT traffic, check to see
if it is in a message we are already decoding, and simply record it as a
continuation. If not, then call the SMB decoder on the first segment.
If we are not yet decoding a NetBT message, then we need to be careful. It
would help if we had a TCP object hanging around, so we could see if we
have just seen the three way handshake and the NetBIOS session setup
exchange. Otherwise, we may have to use some heuristics. Check if it is a
message, and if it looks like one, check if there is an SMB in it (which is
about the only thing that can be in there).
Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx, NS Computer Software and Services P/L,
Samba (Team member www.samba.org), Ethereal (Team member www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours
Author, First Australian Linux Course
