|
What happens if there's more than one PDU in more
than one TCP segment? It appears that only the first PDU is dissected. Please take a look at packet 9 of the attached capture (when enabling desegmentation in the TCP and DCERPC protocols). You can see that in location 0x7e8 a new DCERPC PDU begins. However, there's no call for the DCERPC dissector to dissect it. Could be that I don't fully understand the logic for desegmenting TCP. I'd appreciate if someone can perhaps point to documentation on it (other than packet-tcp.c). |
dcerpc-seg.cap
Description: Binary data
