At 01:39 PM 10/5/99 -0700, Guy Harris <guy@xxxxxxxxxx> wrote:
>> So, in dissect_smb, I want to do something like:
>>
>> src_ip = get_src_ip(packet);
>> dst_ip = get_dst_ip(packet);
>> src_port = get_src_port(packet);
>> dst_port = get_dst_port(packet);
>>
>> state_block = hash_new_state(src_ip, dst_port, src_port, dst_port,
>> sizeof(state_block));
>>
>> state_block -> Transact_Command = command;
>
>Would stuff like the "transact" command be associated with source and
>destination addresses ("addresses" here means network-layer address plus
>transport-layer port information), or with packets?
Hmmm, my initial thoughts were that I would associate it with IP addresses
and TCP ports, but the frame number could be added as well.
Indeed, I would see it as a useful repository. For example, one could
store the key sent by the server in a NegProt response ...
>I.e., store, with requests known to have a response that, to be decoded,
>requires information from the request, that information, and store, for
>each request of that sort, in another database, indexed by source and
>destination addresses and "transaction ID" (multiplexor ID, if I
>remember correctly, for SMB; transaction ID for ONC RPC), either a
>pointer to that stored information, or to the request's frame, or both.
>Then, when a response is seen, look it up by addresses and transaction
>ID.
>
>(Storing a reference to the frame could let you add, in the protocol
>tree for a reply, an entry saying "this is a reply to a request starting
>in frame XXX" - "snoop" prints out that, as I remember, at least for ONC
>RPC requests.)
Yes, this would be useful.
Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx, Master Linux Administrator :-),
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours
Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course
