On Tue, 2002-05-21 at 12:22, Mike Richichi wrote: > I have been patiently waiting for the results of the rewritten NCP > decoder in Ethereal 0.9.4, and have tested it today. It is > quite good but there are 2 problems I've noticed: > > 1) I've always had trouble with decoding NCP over IP packets (we're very > soon going to be a Pure IP shop). It turns out that Ethereal is not > properly decoding packets with packet signatures enabled. There's an
Can you send me a sample file? > extra 8 bytes between the NCP over IP reply Buffer size field and the > actual start of the NCP packet (this is determined by looking for an > 0x2222 or 0x3333 as appropriate in the packet data), and assuming the > NCP type header is immediately after the NCP over IP Reply Buffer Size > information, instead of the signature. Once the offset is shifted it > cannot decode the packets at all, reporting them as Unknown Types. I > have verified this by turning off packet signatures and > get good decoding information, except for the problem in the next item. > > 2) NCP over IP will use burst mode to to large transfers (program and > data files in bulk) and these are identified as NCP packets but have > little or no header data, so again the packet type is unknown. This is > a minor problem though, because it's clear in the trace what's going on > (there's an NCP open file request, a bunch of large packets with TCP > ACKs from the server, then an NCP close file request.) Yes, this is a known problem and is on the list of things to be taken care of. thanks, --gilbert
