Ethereal-dev: Re: [Ethereal-dev] NLM decode problem Ethereal vs. Sniffer Pro

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 21 Jan 2003 23:48:35 -0800
On Wed, Jan 22, 2003 at 06:37:43PM +1100, Ronnie Sahlberg wrote:
> NLM decoding in NetMon and Sniffer is known to be suboptimal.

NLM decoding in NetMon is, as far as I know, *nonexistent*; the version
I have thinks the traffic in that capture is all just TCP.  Perhaps it's
Just Too Hard to use a heuristic to find ONC RPC traffic, or something
such as that.  (NetMon *does* do portmapper and NFS, but that's easy -
just look for port 111 and 2049.)

It doesn't seem to handle RPC-over-TCP too well, either (as in "it
doesn't know about fragment headers, so it completely fails to dissect
RPC-over-TCP correctly").

> Maybe they have hardcoded the offset of where NLM starts into the packet 
> and get confused by some header being too unexpectedly long.

A later version of Sniffer Pro appears to dissect packet 10 correctly.