Ethereal-dev: Re: [Ethereal-dev] DCERPC fragment reassembly problem: complete

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Jaime Fournier <jafour1@xxxxxxxxx>
Date: Mon, 9 Sep 2002 03:59:35 -0700 (PDT)
Exceelllent.
I was wondering why it fragmented at both levels.
Definately make use of this.
Thanks for prompt assistance.
--- Ronnie Sahlberg <sahlberg@xxxxxxxxxxxxxxxx> wrote:
> 
> ----- Original Message -----
> From: "Jaime Fournier"
> Sent: Monday, September 09, 2002 2:25 PM
> Subject: [Ethereal-dev] DCERPC fragment reassembly
> problem: complete
> 
> 
> > I have a problem with fragment reassembly on dfs
> > fragments. Guy had looked at this before, but I
> was
> > unable to provide a complete pdu. I have included,
> > what looks complete to me, an example.
> >
> > If not Guy, anyone else know why it won't
> reassemble
> > properly?
> >
> > Thanks!
> >
> > This was a copy of a simple file of 23404 lines of
> > [Aa...Zz01234567890\n]
> > 37731 1486 was the sum of the file copied.
> > If that helps.
> 
> I tried your capture and it seemed to reassemble
> just fine (within the
> limitations of ethereal)
> 
> I loaded it into ethereal and only the ip layer was
> reassembled.
> I then looked at Edit/Preferences/Protocols/DCERPC
> and enabled
> "Reassemble DCERPC fragments"
> That caused ethereal to reassemble the frame
> properly.
> 
> I did have to reapply an empty displayfilter (just
> klick in the filter
> textbox and press return)
> in order for the COL_INFO line to change from
> "Fragmented IP Protocol"
> into "Request: seq_num..."
> 
> Needing to reapply the displayfilter in order to
> update the InfoColums is an
> unfortunate sideeddeft of ethereal scanning the
> capturefile linearly.
> Ethereal can unfortunately not go back and redissect
> a previous packet just
> bacause
> the reassembly status has changed. :-(
> 
> 
> (if we, as I would want but since I am the only one
> in the world wanting
> this its possibility of happening is exactly 0,
> dropped features such as
> doing capturing or reading compressed capturefiles
> we could do cool and very
> stateful things easily, such as go back and
> redissect earlier packets in the
> capture)
> 
> 
> The dcerpc packet in frame 7 contains 131304 bytes
> of stub data according to
> my stock 0.9.6 version of ethereal. It is fragmented
> at both the IP and
> DCERPC layer
> so you must have both
> Edit/Preferences/Protocols/IP/Reassemble fragmented
> IP datagrams
> and
> Edit/Preferences/Protocols/DCERPC/Reassemble DCERPC
> fragments
> enabled.
> 
> Thus you will get three tabs just above the
> displayfilter when you look at
> frame 7:
> Frame:Reassembled IPv4:Reassembled DCE/RPC
> 
> 
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
>
http://www.ethereal.com/mailman/listinfo/ethereal-dev


=====
Jaime Fournier

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com