----- Original Message ----- From: "Jaime Fournier" Sent: Monday, September 09, 2002 2:25 PM Subject: [Ethereal-dev] DCERPC fragment reassembly problem: complete
> I have a problem with fragment reassembly on dfs > fragments. Guy had looked at this before, but I was > unable to provide a complete pdu. I have included, > what looks complete to me, an example. > > If not Guy, anyone else know why it won't reassemble > properly? > > Thanks! > > This was a copy of a simple file of 23404 lines of > [Aa...Zz01234567890\n] > 37731 1486 was the sum of the file copied. > If that helps. I tried your capture and it seemed to reassemble just fine (within the limitations of ethereal) I loaded it into ethereal and only the ip layer was reassembled. I then looked at Edit/Preferences/Protocols/DCERPC and enabled "Reassemble DCERPC fragments" That caused ethereal to reassemble the frame properly. I did have to reapply an empty displayfilter (just klick in the filter textbox and press return) in order for the COL_INFO line to change from "Fragmented IP Protocol" into "Request: seq_num..." Needing to reapply the displayfilter in order to update the InfoColums is an unfortunate sideeddeft of ethereal scanning the capturefile linearly. Ethereal can unfortunately not go back and redissect a previous packet just bacause the reassembly status has changed. :-( (if we, as I would want but since I am the only one in the world wanting this its possibility of happening is exactly 0, dropped features such as doing capturing or reading compressed capturefiles we could do cool and very stateful things easily, such as go back and redissect earlier packets in the capture) The dcerpc packet in frame 7 contains 131304 bytes of stub data according to my stock 0.9.6 version of ethereal. It is fragmented at both the IP and DCERPC layer so you must have both Edit/Preferences/Protocols/IP/Reassemble fragmented IP datagrams and Edit/Preferences/Protocols/DCERPC/Reassemble DCERPC fragments enabled. Thus you will get three tabs just above the displayfilter when you look at frame 7: Frame:Reassembled IPv4:Reassembled DCE/RPC
