Wireshark · Ethereal-dev: Re: [Ethereal-dev] DCERPC fragment reassembly problem: complete

Ethereal-dev: Re: [Ethereal-dev] DCERPC fragment reassembly problem: complete

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <sahlberg@xxxxxxxxxxxxxxxx>

Date: Mon, 9 Sep 2002 19:52:46 +1000

----- Original Message -----
From: "Jaime Fournier"
Sent: Monday, September 09, 2002 2:25 PM
Subject: [Ethereal-dev] DCERPC fragment reassembly problem: complete

> I have a problem with fragment reassembly on dfs
> fragments. Guy had looked at this before, but I was
> unable to provide a complete pdu. I have included,
> what looks complete to me, an example.
>
> If not Guy, anyone else know why it won't reassemble
> properly?
>
> Thanks!
>
> This was a copy of a simple file of 23404 lines of
> [Aa...Zz01234567890\n]
> 37731 1486 was the sum of the file copied.
> If that helps.

I tried your capture and it seemed to reassemble just fine (within the
limitations of ethereal)

I loaded it into ethereal and only the ip layer was reassembled.
I then looked at Edit/Preferences/Protocols/DCERPC and enabled
"Reassemble DCERPC fragments"
That caused ethereal to reassemble the frame properly.

I did have to reapply an empty displayfilter (just klick in the filter
textbox and press return)
in order for the COL_INFO line to change from "Fragmented IP Protocol"
into "Request: seq_num..."

Needing to reapply the displayfilter in order to update the InfoColums is an
unfortunate sideeddeft of ethereal scanning the capturefile linearly.
Ethereal can unfortunately not go back and redissect a previous packet just
bacause
the reassembly status has changed. :-(

(if we, as I would want but since I am the only one in the world wanting
this its possibility of happening is exactly 0, dropped features such as
doing capturing or reading compressed capturefiles we could do cool and very
stateful things easily, such as go back and redissect earlier packets in the
capture)

The dcerpc packet in frame 7 contains 131304 bytes of stub data according to
my stock 0.9.6 version of ethereal. It is fragmented at both the IP and
DCERPC layer
so you must have both
Edit/Preferences/Protocols/IP/Reassemble fragmented IP datagrams
and
Edit/Preferences/Protocols/DCERPC/Reassemble DCERPC fragments
enabled.

Thus you will get three tabs just above the displayfilter when you look at
frame 7:
Frame:Reassembled IPv4:Reassembled DCE/RPC

Follow-Ups:
- Re: [Ethereal-dev] DCERPC fragment reassembly problem: complete
  - From: Jaime Fournier

References:
- [Ethereal-dev] DCERPC fragment reassembly problem: complete
  - From: Jaime Fournier

Prev by Date: Re: [Ethereal-dev] Tap extensions. Comments please.
Next by Date: Re: [Ethereal-dev] throughput graph
Previous by thread: [Ethereal-dev] DCERPC fragment reassembly problem: complete
Next by thread: Re: [Ethereal-dev] DCERPC fragment reassembly problem: complete
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$