Hi folks, I have run across an interesting issue.
I took a capture using -C and -W to get some 30 or more capture files with 30M each. I then merged several of them towords the end to give me a 95MB capture file. When I look at it I can see each response found and matched to the previous request. However, when I merged more of them to give me an approximately 700MB capture file, the responses to quote a few are not dissected and show up RPC continuations. Using some debugging I have tracked it down to the following statement not finding the correct conversation, it seems: conversation = find_conversation_for_reply(pinfo); Here is the logging I have added in the case that it works: ------------------------ xid = 0xd4e94d56 frame=146941 # This is for the request Checking if we have a conv=0x7fbf96ae60c0 for XID=0xd4e94d56 frame=146941 Did we have an rpc_conv_info 0x7fbf96ae8750 for 0xd4e94d56 frame 146941 Did we find the call (nil) for 0xd4e94d56 for frame 146941 Storing 0x7fbf92184470 for 0xd4e94d56 for frame 146941 The XID=0xd4e94d56 for frame=146951 # This is for the reply Found a conversation=0x7fbf96ae60c0 for XID=d4e94d56 frame=146951 Found rpc_conv_info=0x7fbf96ae8750 for XID=d4e94d56 frame=146951 Found rpc_call=0x7fbf92184470 for XID=d4e94d56 frame=146951 xid = 0xd4e94d56 frame=146951 ------------------------- Notice that we found the same conversation in the case of both the request and the response. (I am logging when I see a specific XID.) Here is what I see in the case of the larger merged capture file: -------------------------- xid = 0xd4e94d56 frame=524451 # This is for the request Checking if we have a conv=0x7f20b1022ce0 for XID=0xd4e94d56 frame=524451 Did we have an rpc_conv_info 0x7f20b1025500 for 0xd4e94d56 frame 524451 Did we find the call (nil) for 0xd4e94d56 for frame 524451 Storing 0x7f20ac71a4a0 for 0xd4e94d56 for frame 524451 The XID=0xd4e94d56 for frame=524461 # This is for the reply Found a conversation=0x7f20bf051460 for XID=d4e94d56 frame=524461 Found rpc_conv_info=0x7f20bf052ce0 for XID=d4e94d56 frame=524461 ------------------------------------ Notice there that in the second case it seems we found a different conversation for the reply ... I am trying to figure out why we did not find the correct conversation with the large capture file. If anyone has ideas I would be interested in hearing from you. -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
