Exceelllent. I was wondering why it fragmented at both levels. Definately make use of this. Thanks for prompt assistance. --- Ronnie Sahlberg <[EMAIL PROTECTED]> wrote: > > ----- Original Message ----- > From: "Jaime Fournier" > Sent: Monday, September 09, 2002 2:25 PM > Subject: [Ethereal-dev] DCERPC fragment reassembly > problem: complete > > > > I have a problem with fragment reassembly on dfs > > fragments. Guy had looked at this before, but I > was > > unable to provide a complete pdu. I have included, > > what looks complete to me, an example. > > > > If not Guy, anyone else know why it won't > reassemble > > properly? > > > > Thanks! > > > > This was a copy of a simple file of 23404 lines of > > [Aa...Zz01234567890\n] > > 37731 1486 was the sum of the file copied. > > If that helps. > > I tried your capture and it seemed to reassemble > just fine (within the > limitations of ethereal) > > I loaded it into ethereal and only the ip layer was > reassembled. > I then looked at Edit/Preferences/Protocols/DCERPC > and enabled > "Reassemble DCERPC fragments" > That caused ethereal to reassemble the frame > properly. > > I did have to reapply an empty displayfilter (just > klick in the filter > textbox and press return) > in order for the COL_INFO line to change from > "Fragmented IP Protocol" > into "Request: seq_num..." > > Needing to reapply the displayfilter in order to > update the InfoColums is an > unfortunate sideeddeft of ethereal scanning the > capturefile linearly. > Ethereal can unfortunately not go back and redissect > a previous packet just > bacause > the reassembly status has changed. :-( > > > (if we, as I would want but since I am the only one > in the world wanting > this its possibility of happening is exactly 0, > dropped features such as > doing capturing or reading compressed capturefiles > we could do cool and very > stateful things easily, such as go back and > redissect earlier packets in the > capture) > > > The dcerpc packet in frame 7 contains 131304 bytes > of stub data according to > my stock 0.9.6 version of ethereal. It is fragmented > at both the IP and > DCERPC layer > so you must have both > Edit/Preferences/Protocols/IP/Reassemble fragmented > IP datagrams > and > Edit/Preferences/Protocols/DCERPC/Reassemble DCERPC > fragments > enabled. > > Thus you will get three tabs just above the > displayfilter when you look at > frame 7: > Frame:Reassembled IPv4:Reassembled DCE/RPC > > > > _______________________________________________ > Ethereal-dev mailing list > [EMAIL PROTECTED] > http://www.ethereal.com/mailman/listinfo/ethereal-dev
===== Jaime Fournier __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com
