Ethereal: Re: [Ethereal-dev] smb, dcerpc, having old-style dissector call a tvbuff one?

Ethereal-dev: August 2001

Subject: Re: [Ethereal-dev] smb, dcerpc, having old-style dissector call a tvbuff one?
From: Tim Potter <tpot@xxxxxxxxxxx>
Date: Fri, 3 Aug 2001 08:20:41 +1000 (EST)

Guy Harris writes:

> On Sun, Jul 22, 2001 at 05:46:39PM +1000, Tim Potter wrote:
> > I had most of a patch to do this.  You need to take the uid from
> > the sesssetupX packet, the tid from the tconX, and the fid from
> > the ntcreateX packet.  This information, plus the existing
> > guint32 conversation id gives you a unique tuple that you can
> > match to a pipe name.
> 
> Will the UID and TID be the same as the ones that appear in the
> TRANSACTION SMB that contains the MSRPC messages?

Yes.

> And does the FID appear in the TRANSACTION SMB?  If not, something else
> in that SMB must indicate which pipe is being used.

Also yes.  The fid is contained in the SMB flags2 field.  For the
first pipe created on a connection, the fid is usually 0x8001 and
seems to increment with each new pipe.

Note that ethereal currently doesn't decode enough of the
SMBntcreateX response to be able to find the returned fid.

Tim.

References:
- Re: [Ethereal-dev] smb, dcerpc, having old-style dissector call a tvbuff one?
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] smb, dcerpc, having old-style dissector call a tvbuff one?
Next by Date: [Ethereal-dev] small patch for idl2eth
Previous by thread: Re: [Ethereal-dev] smb, dcerpc, having old-style dissector call a tvbuff one?
Next by thread: [Ethereal-dev] small patch for idl2eth
Index(es):
- Date
- Thread