Wireshark-users: [Wireshark-users] dcerpc.cn_call_id display filter problem when reassembled PDU
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: <andre.noel@xxxxxxx>
Date: Wed, 30 May 2007 15:34:29 -0400

Hi,

 

I captured DCERPC traffic and then I did a filter to isolate a particular call ID with that filter :   dcerpc.cn_call_id == 96

I went trough that problem:

 

When selecting the option “Allow subdissector to reassemble TCP streams” checked  the filter catches only the Request.

 

When deselecting the option “Allow subdissector to reassemble TCP streams”  the filter catches both the Request and

The Response.   The frame is identified as limited during capture but I know it’s not, I did a full frame capture.

 

Might it be because the frame is exactly 1514 bytes long or I might be wrong with something ?

 

I attached a small capture that has what I described.

 

Regards.

 

 

===========================================

André Noël

Attachment: dcerpc.pcap
Description: dcerpc.pcap