> The dissect_pipe_msrpc() function creates one of these before invoking
> the dcerpc dissector:
>
> dcerpc_private_info dcerpc_priv;
> smb_info_t *smb_priv = (smb_info_t *)pinfo->private_data;
>
> dcerpc_priv.transport_type = DCERPC_TRANSPORT_SMB;
> dcerpc_priv.data.smb.fid = smb_priv->fid;
>
> pinfo->private_data = &dcerpc_priv;
That will work only if the DCE RPC dissector routine you're calling
is called *only* from "dissect_pipe_msrpc()"; otherwise, it can have
"pinfo->private_data" point to more than one type of data structure.
I.e., instead of doing
heur_dissector_add ("msrpc", dissect_dcerpc_cn, proto_dcerpc);
you'd have a "dissect_dcerpc_smb" routine, which would, say, extract
the FID from the structure and then call a "dissect_dcerpc_cn_common"
routine, which would have a calling sequence similar to
"dissect_dcerpc_cn" except that it takes an extra "fid" argument. That
routine would contain the code that's currently in "dissect_dcerpc_cn".
"dissect_dcerpc_cn" would call "dissect_dcerpc_cn_common", passing it,
say, 0 or -1 as a "fid" argument. (If it's -1, make sure the "fid"
argument is "int", not "guint16"....)
To do TCP segment reassembly, there'd also be a "dissect_dcerpc_tcp"
routine, which would do the reassembly stuff *and* handle the case of
multiple DCE RPC PDUs in the same segment; it would also call
"dissect_dcerpc_cn_common" for each of the PDUs it found.
"dissect_dcerpc_tcp" would be registered as the heuristic dissector in
the "tcp" table; "dissect_dcerpc_smb" would be registered as the
heuristic dissector in the "msrpc" table.
