Ronnie Sahlberg <[EMAIL PROTECTED]> writes: > Hi list. > > I just checked in a quick fix to enable ethereal to handle a new type of > DCERPC over SMB transport. > This is for DCERPC that is transported directly ontop of read/write calls > and NOT using > SMB Transaction pipes. > > I hope this patch does not interact badly with the previous DCERPC over SMB > Transaction handling. > Please mail me if there is something that breaks.
I've seen this kind of stuff, too. For me, it's usually win2k doing the bind/bind-ack part of its DCERPC session with SMBread/write and then switching to SMBtrans for the actual calls. However, your patch doesn't fix things for my captures. (It doesn't break anything, either.) My traces have this pattern with SMBWriteAndX and SMBReadAndX (with no following command), instead of just SMBWrite and SMBRead. There's also a byte of padding sometimes. I was looking at how to extend your patch to the other calls, and it seemed like it might make more sense to push your changes down into dissect_file_data(). All read/writes seem to funnel through there, so maybe it could check whether the file is actually a pipe, and if so, handoff to dissect_pipe_dcerpc. I'm not that familiar with the SMB code in ethereal, so perhaps that wouldn't be so simple? Thoughts? Todd
