On Wed, May 30, 2007 at 03:34:29PM -0400, [EMAIL PROTECTED] wrote:
I captured DCERPC traffic and then I did a filter to isolate a particular
call ID with that filter : dcerpc.cn_call_id == 96
I went trough that problem:
When selecting the option Allow subdissector to reassemble TCP streams
checked the filter catches only the Request.
When deselecting the option Allow subdissector to reassemble TCP streams
the filter catches both the Request and
The Response. The frame is identified as limited during capture but I know
it's not, I did a full frame capture.
It looks like you do not have all tcp segments of the conversation in the
tracefile. The DCE_RPC dissector knows it needs some more data. When
allow subdissector to reassemble TCP streams is off, the first frame
is dissected with all the information that is available to it. Since it
does know that more data should come, hence it says something about the
captured bytes. I agree the message is a bit misleading.
Once you turn on allow subdissector to reassemble TCP streams, the dissector
tries to collect the data it knows should be there. Unfortunately the data
is not there because some tcp-segments are missing. Therefor it does
not dissect the packet and the filter fails to see it...
The remedy is to collect all data of a conversation so that tcp-reassembly
is able to reconstruct all the higher-level PDU's :)
I hope this helps, Cheers,
Sake
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
