On Wed, May 30, 2007 at 03:34:29PM -0400, [EMAIL PROTECTED] wrote: > > I captured DCERPC traffic and then I did a filter to isolate a particular > call ID with that filter : dcerpc.cn_call_id == 96 > > I went trough that problem: > > When selecting the option "Allow subdissector to reassemble TCP streams" > checked the filter catches only the Request. > > When deselecting the option "Allow subdissector to reassemble TCP streams" > the filter catches both the Request and > > The Response. The frame is identified as limited during capture but I know > it's not, I did a full frame capture.
It looks like you do not have all tcp segments of the conversation in the tracefile. The DCE_RPC dissector knows it needs some more data. When "allow subdissector to reassemble TCP streams" is off, the first frame is dissected with all the information that is available to it. Since it does know that more data should come, hence it says something about the captured bytes. I agree the message is a bit misleading. Once you turn on "allow subdissector to reassemble TCP streams", the dissector tries to collect the data it knows should be there. Unfortunately the data is not there because some tcp-segments are missing. Therefor it does not dissect the packet and the filter fails to see it... The remedy is to collect all data of a conversation so that tcp-reassembly is able to reconstruct all the higher-level PDU's :) I hope this helps, Cheers, Sake _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
