FIX needed for the PDU_CL_CANCEL stanza on
line 3282 of packet-dcerpc.c
Without the testing for hdr.frag_len being 0,
I end up with all DFS Cl_cancels showing up as
"[malformed packet]".
In fact, EVERY Cl_cancel packet that I have come
across in DFS has a hdr.fr of 0.
I would have provided a unified diff, but it's a one
liner.
@line 3283
case PDU_CL_CANCEL:
+ if (hdr.frag_len != 0)
dissect_dcerpc_dg_cancel (tvb, offset,
pinfo,dcerpc_tree, &hdr);
Thanks!
--- Jaime Fournier <jafour1@xxxxxxxxx> wrote:
> Excellent!
> This is going to make my job a lot easier.
> I am packet logging, and using the info field for
> all
> my stuff, but the op code make it MUCH easier to key
> on. Keeps me from post filtering it as well!
>
>
> --- Tim Potter <tpot@xxxxxxxxx> wrote:
> > On Tue, May 14, 2002 at 08:47:58PM -0700, Guy
> Harris
> > wrote:
> >
> > > On Wed, May 15, 2002 at 01:16:11PM +1000, Tim
> > Potter wrote:
> > > > This hidden field business got me thinking.
> > I've made a small change to
> > > > the dcerpc init routines which allows you to
> > filter by string names for
> > > > dcerpc subcommands.
> > > >
> > > > I've changed dcerpc_init_uuid() to take an
> extra
> > value - a hf field
> > > > which corresponds to the opnum for the
> > subdissector with a value_string
> > > > array associated with it. The
> > dcerpc_try_handoff() routine inserts a
> >
> > [...]
> >
> > > I'd thought about the same thing a while ago; I
> > forget whether I
> > > mentioned it to ethereal-dev or not. (I *did*
> > mention it in the comment
> > > on line 1028 or so in "packet-dcerpc.c". :-))
> > >
> > > I think it's the right thing to do.
> > >
> > > However, you might, instead, want to *replace*
> the
> > call *after* the
> > > comment I mentioned with a call to add the
> > subdissector's field as a
> > > *non*-hidden field (and get rid of
> > "hf_dcerpc_op"). That would let you
> > > do a "Match Selected" on that entry in the
> > protocol tree.
> >
> > I've found a bit of spare time and implemented
> this.
> > There is an extra field
> > in the dcerpc_uuid_value structure which holds a
> hf
> > value. This is
> > initialised by the protocol dissector that
> registers
> > the DCERPC
> > subprotocol. If this value is not -1, it is
> > inserted into the proto
> > tree!
> >
> > So you can now do things like filter on
> > 'spoolss.opnum == openprinterex'
> > to catch all open printer requests and replies.
> >
> > I'm in the process of updating all the dcerpc
> > dissectors for this and if
> > there aren't any objections I'd like to check it
> in
> > later on today.
> >
> >
> > Tim.
> >
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> >
>
http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
>
> =====
> Jaime Fournier
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
=====
Jaime Fournier
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
