Ethereal-users: Re: [Ethereal-users] Ethereal support for decoding DCERPC packets
On Wed, Jul 14, 2004 at 11:41:06AM +0300, Yafit Cohen wrote:
> It seems that Ethereal doesn't support DCERPC protocol in its "Decode
> As" protocol list;
Correct. The DCERPC dissector is handed all UDP or TCP packets not
processed by any dissector that picks up the packets because of the port
they go to or because they're in a conversation with a dissector
assigned to it (unless the UDP or TCP dissector is configured to hand
packets to heuristic dissectors, such as the DCERPC dissector, first).
If the packet looks enough like a DCERPC packet, the DCERPC dissector
will dissect it. (The packet has to have a full DCERPC header in it,
and has to have what appears to be an RPC version major number of 5, an
RPC minor version number of 0 or 1, and a packet type <= 19.)
> I'm trying to read a tcpdump packet file of MS Exchange packets and
> decode the TCP packets as DCERPC, however, this protocol is not in the
> "Decode As" protocol list.
We'd have to see the packets to see why the test referred to above fails.
> It's pretty weird since when using ethereal itself to capture the same
> MS Exchange packets it does decode these packets as DCERPC...
>
> Is DCERPC decoding really not supported for offline packets
Ethereal has no idea whether the packets were captured by Ethereal or
not.
