Ethereal-dev: Re: [Ethereal-dev] smb, dcerpc, having old-style dissector call a tvbuff one?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Tim Potter <tpot@xxxxxxxxxxx>
Date: Fri, 3 Aug 2001 08:20:41 +1000 (EST)
Guy Harris writes:

> On Sun, Jul 22, 2001 at 05:46:39PM +1000, Tim Potter wrote:
> > I had most of a patch to do this.  You need to take the uid from
> > the sesssetupX packet, the tid from the tconX, and the fid from
> > the ntcreateX packet.  This information, plus the existing
> > guint32 conversation id gives you a unique tuple that you can
> > match to a pipe name.
> 
> Will the UID and TID be the same as the ones that appear in the
> TRANSACTION SMB that contains the MSRPC messages?

Yes.

> And does the FID appear in the TRANSACTION SMB?  If not, something else
> in that SMB must indicate which pipe is being used.

Also yes.  The fid is contained in the SMB flags2 field.  For the
first pipe created on a connection, the fid is usually 0x8001 and
seems to increment with each new pipe.

Note that ethereal currently doesn't decode enough of the
SMBntcreateX response to be able to find the returned fid.


Tim.