----- Original Message -----
From: "Guy Harris
Subject: Re: [Ethereal-dev] packet-smb big patch
> > May I ask what client implementation you have seen this behaviour on?
>
> Windows. (I don't know whether it's OT or NT - I suspect some version
> of NT - nor what version, i.e. 4.0 or 5.0^H^H^H^H2000.)
>
> In any case, it could be simplified, but that'd make it incorrect;
> "everything should be made as simple but no simpler".
>
> > looks like the last transaction call to be converted needs a fair bit of
> > work.
>
> Why? The transaction-hashing code is already in now, and it worked for
> the non-tvbuffified code, so that shouldn't make a difference.
You are right. It will not make much difference.
I will prepare and mail the patch probably today.
Another topic: simplifying (imho) smb_info/conversations.
Would not something like this work for all observed behaviours when clients
are
reusing mid's and allow complete removeal of the conversation stuff ?
And also make it much simpler and easier to understand?
It would also reduce the memory footprint quite a bit.
Remove address structs and frame_req frame_res, mid, etc from smb_info_t.
i.e.
everything that is just used to match requests with responses.
Create TWO tables to store smb_info_t structs in, one for unmatched requests
and one for matched requests/responses.
struct smb_unmatched {
address src;
address dst;
int frame_req;
int mid;
xxx (pid? uid? tid?)
smb_info_t *smb_info
}
struct smb_matched {
int frame_req;
int frame_res;
smb_info_t *smb_info
}
And the following algorithm:
if(!pinfo->fd->visited){
if(request){
if(response_is_expected){
add_smb_unmatched_to_unmatched_table
}
}
if(response){
find_request_smb_in_unmatched_table
if(smb_was_found){
remove_smb_from_unmatched_table
insert_smb_in_matched_table
} else {
response_is_to_unknown_request
}
}
}
if(pinfo->flags->visited){
find_smb_request/response_in_matched_table
if(smb_not_found){
do_as_good_job_as_possible_to_dissect (identical to what
conversation or anything else must do)
}
}
The address structs are only stored for requests that has not yet been
matched with responses.
When a response is seen, the address structs are stripped and replaced with
frame numbers for request and response,
frame numbers need much less space to be stored and will hash close to
perfectly, also they will be wery easy to search for.
This would be very simple and I think it could eliminate the entire
conversation complexity in smb.
Also it would allow smb_info to be the only struct we allocate dynamically
to store for each smb.
SMB would be possible to reduce significantly in size.
(semi-important if looking at 50.000+ packet smb captures)
Guy, what do you think? Do you think it would work? (I think so)
If so, I can look into implementing this after my last transaction patch has
been generated. (which is the final patch for tvbuffication I had)
best regards
ronnie s
