Ronnie Sahlberg <sahlberg@xxxxxxxxxxxxxxxx> writes:
> Hi list.
>
> I just checked in a quick fix to enable ethereal to handle a new type of
> DCERPC over SMB transport.
> This is for DCERPC that is transported directly ontop of read/write calls
> and NOT using
> SMB Transaction pipes.
>
> I hope this patch does not interact badly with the previous DCERPC over SMB
> Transaction handling.
> Please mail me if there is something that breaks.
I've seen this kind of stuff, too. For me, it's usually win2k doing
the bind/bind-ack part of its DCERPC session with SMBread/write and
then switching to SMBtrans for the actual calls. However, your patch
doesn't fix things for my captures. (It doesn't break anything,
either.) My traces have this pattern with SMBWriteAndX and
SMBReadAndX (with no following command), instead of just SMBWrite and
SMBRead. There's also a byte of padding sometimes.
I was looking at how to extend your patch to the other calls, and it
seemed like it might make more sense to push your changes down into
dissect_file_data(). All read/writes seem to funnel through there, so
maybe it could check whether the file is actually a pipe, and if so,
handoff to dissect_pipe_dcerpc. I'm not that familiar with the SMB
code in ethereal, so perhaps that wouldn't be so simple?
Thoughts?
Todd
