Ethereal-users: Re: [Ethereal-users] ethereal not parsing ONC-RPC packets over TCP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 29 Feb 2004 10:28:07 -0800
On Sun, Feb 29, 2004 at 08:55:29AM -0800, Lever, Charles wrote:
> i'm attempting to analyze a network trace with Ethereal 0.10.2
> between a RHEL 3.0 NFS client and a Network Appliance filer.
> the trace is RPC over TCP.  the dissector sees the client
> read requests, but the filer's replies appear only as "RPC
> continuation data".  is there anything i can do to help the
> dissector recognize and parse the filer's replies?

You're not capturing with a snapshot length, are you?  I.e., the first
line of the decode for a packet doesn't give "Frame N (M bytes on wire,
K bytes captured), with K < M)", it gives "Frame N (M bytes on wire, M
bytes captured)", right?  If so, then whoever's doing the capture is
probably either

	1) explicitly setting a snapshot length, in which case they
	   should stop

or

	2) using tcpdump, in which case they should explicitly give a
	   snapshot length of 65535 with "-s 65535"

as, while that shouldn't cause *all* reply frames to appear as "RPC
continuation data", it'll probably cause all but the first frame of the
reply to appear as such.

If that's not the problem, I'd have to see a capture of that sort to see
what the problem is - perhaps the reply isn't starting at the first byte
of the first reply TCP segment, or perhaps it's something else.