On Tue, 2002-05-21 at 12:22, Mike Richichi wrote:
> I have been patiently waiting for the results of the rewritten NCP
> decoder in Ethereal 0.9.4, and have tested it today. It is
> quite good but there are 2 problems I've noticed:
>
> 1) I've always had trouble with decoding NCP over IP packets (we're very
> soon going to be a Pure IP shop). It turns out that Ethereal is not
> properly decoding packets with packet signatures enabled. There's an
Can you send me a sample file?
> extra 8 bytes between the NCP over IP reply Buffer size field and the
> actual start of the NCP packet (this is determined by looking for an
> 0x2222 or 0x3333 as appropriate in the packet data), and assuming the
> NCP type header is immediately after the NCP over IP Reply Buffer Size
> information, instead of the signature. Once the offset is shifted it
> cannot decode the packets at all, reporting them as Unknown Types. I
> have verified this by turning off packet signatures and
> get good decoding information, except for the problem in the next item.
>
> 2) NCP over IP will use burst mode to to large transfers (program and
> data files in bulk) and these are identified as NCP packets but have
> little or no header data, so again the packet type is unknown. This is
> a minor problem though, because it's clear in the trace what's going on
> (there's an NCP open file request, a bunch of large packets with TCP
> ACKs from the server, then an NCP close file request.)
Yes, this is a known problem and is on the list of things to be taken
care of.
thanks,
--gilbert
