Ethereal-dev: Re: [Ethereal-dev] [PATCH] fid tracking

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Tim Potter <tpot@xxxxxxxxx>
Date: Mon, 19 Nov 2001 11:06:31 +1100
On Mon, Nov 19, 2001 at 10:49:34AM +1100, Tim Potter wrote:

> OK this is where it gets complicated.  Small DCERPC requests and responses
> (under 5620 bytes I think) are sent using a single SMBtrans.  For larger
> requests and responses the DCERPC packet is fragmented and the fragments
> are sent using SMBreadX or SMBwritex.  The only way to link these together
> is by the FID which is the same in the SMB{read,write}X packets as it is
> in the SMBtrans packets.  I guess if you see the packets out of order then
> you have to do some tricky stuff in your defragmenter but that's OK.

One thing I forgot to mention - to determine whether a DCERPC packet
is fragmented, the error in the SMB header is set to 0x80000005
(STATUS_BUFFER_OVERFLOW) in the case of some pipes or ERROR_MORE_DATA 
for others.  There's also some information in the DCERPC header of
the first packet.  Look at the flags and the fragment offset field.
Note that there can be DCERPC fragmentation as well as SMB fragmentation
which is why you will probably see the first and last fragment set in
a packet header but the packet spans multiple SMB packets.


Tim.