Wireshark-users: [Wireshark-users] ONC-RPC packet decoding
Date: Wed, 17 Oct 2007 08:08:36 -0400
I have an application that uses ONC-RPC. When I capture the packets, all of them, request and replies, are marked as RPC continuation data. I can see that the complete request is in the data, but wireshark seems to be unable to decode them. I've included several packets below. These are all requests. At this point, if all I get is the requests to decode properly that will be a big help.
No. Time Source Destination Protocol Info
33 16.626639 192.168.0.207 192.168.0.206 Portmap V2 GETPORT Call (Reply In 34) Unknown(536870912) V:1 UDP
Frame 33 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)
Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)
User Datagram Protocol, Src Port: 1104 (1104), Dst Port: sunrpc (111)
Remote Procedure Call, Type:Call XID:0xca9ac415
XID: 0xca9ac415 (3399140373)
Message Type: Call (0)
RPC Version: 2
Program: Portmap (100000)
Program Version: 2
Procedure: GETPORT (3)
The reply to this request is in frame 34
Credentials
Verifier
Portmap GETPORT Call Unknown(536870912) Version:1 UDP
0000 00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00 ....+..@.6....E.
0010 00 54 33 b9 00 00 80 11 83 f2 c0 a8 00 cf c0 a8 .T3.............
0020 00 ce 04 50 00 6f 00 40 0c eb ca 9a c4 15 00 00 ...P.o.@........
0030 00 00 00 00 00 02 00 01 86 a0 00 00 00 02 00 00 ................
0040 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 20 00 00 00 00 00 00 01 00 00 00 11 78 00 .. ...........x.
0060 bd 6a .j
No. Time Source Destination Protocol Info
34 16.629790 192.168.0.206 192.168.0.207 Portmap V2 GETPORT Reply (Call In 33) Port:753
Frame 34 (70 bytes on wire, 70 bytes captured)
Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)
Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)
User Datagram Protocol, Src Port: sunrpc (111), Dst Port: 1104 (1104)
Remote Procedure Call, Type:Reply XID:0xca9ac415
XID: 0xca9ac415 (3399140373)
Message Type: Reply (1)
Program: Portmap (100000)
Program Version: 2
Procedure: GETPORT (3)
Reply State: accepted (0)
This is a reply to a request in frame 33
Time from request: 0.003151000 seconds
Verifier
Accept State: RPC executed successfully (0)
Portmap GETPORT Reply Port:753 Port:753
0000 00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00 .@.6......+...E.
0010 00 38 f1 5b 00 00 1e 11 28 6c c0 a8 00 ce c0 a8 .8.[....(l......
0020 00 cf 00 6f 04 50 00 24 e6 56 ca 9a c4 15 00 00 ...o.P.$.V......
0030 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 02 f1 ......
No. Time Source Destination Protocol Info
35 16.630559 192.168.0.207 192.168.0.206 RPC Continuation
Frame 35 (94 bytes on wire, 94 bytes captured)
Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)
Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)
User Datagram Protocol, Src Port: 1105 (1105), Dst Port: 753 (753)
Remote Procedure Call
Continuation data
0000 00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00 ....+..@.6....E.
0010 00 50 33 ba 00 00 80 11 83 f5 c0 a8 00 cf c0 a8 .P3.............
0020 00 ce 04 51 02 f1 00 3c df c5 78 f2 15 23 00 00 ...Q...<..x..#..
0030 00 00 00 00 00 02 20 00 00 00 00 00 00 01 00 00 ...... .........
0040 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 03 74 63 73 00 00 00 00 00 ......tcs.....
No. Time Source Destination Protocol Info
36 16.643718 192.168.0.206 192.168.0.207 RPC Continuation
Frame 36 (70 bytes on wire, 70 bytes captured)
Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)
Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)
User Datagram Protocol, Src Port: 753 (753), Dst Port: 1105 (1105)
Remote Procedure Call
Continuation data
0000 00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00 .@.6......+...E.
0010 00 38 f1 5c 00 00 1e 11 28 6b c0 a8 00 ce c0 a8 .8.\....(k......
0020 00 cf 02 f1 04 51 00 24 a4 6b 78 f2 15 23 00 00 .....Q.$.kx..#..
0030 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 42 f4 ....B.
No. Time Source Destination Protocol Info
37 16.644900 192.168.0.207 192.168.0.206 RPC Continuation
Frame 37 (182 bytes on wire, 182 bytes captured)
Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)
Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)
User Datagram Protocol, Src Port: 1105 (1105), Dst Port: 753 (753)
Remote Procedure Call
Continuation data
0000 00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00 ....+..@.6....E.
0010 00 a8 33 bb 00 00 80 11 83 9c c0 a8 00 cf c0 a8 ..3.............
0020 00 ce 04 51 02 f1 00 94 68 4c 95 27 c9 f5 00 00 ...Q....hL.'....
0030 00 00 00 00 00 02 20 00 00 00 00 00 00 01 00 00 ...... .........
0040 00 3c 00 00 00 01 00 00 00 1c 47 15 17 9c 00 00 .<........G.....
0050 00 07 30 2e 30 2e 30 2e 30 00 00 00 42 f4 00 00 ..0.0.0.0...B...
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 ................
0070 f3 f4 00 12 f3 f0 00 12 f3 fc 00 12 f3 f8 00 12 ................
0080 f4 04 00 12 f4 00 00 12 f4 0c 00 12 f4 08 00 12 ................
0090 f4 14 00 12 f4 10 00 12 f4 1c 00 12 f4 18 00 12 ................
00a0 f4 24 00 12 f4 20 00 12 f4 2c 00 12 f4 28 00 12 .$... ...,...(..
00b0 f4 34 00 12 f4 30 .4...0
No. Time Source Destination Protocol Info
38 16.652715 192.168.0.206 192.168.0.207 RPC Continuation
Frame 38 (70 bytes on wire, 70 bytes captured)
Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)
Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)
User Datagram Protocol, Src Port: 753 (753), Dst Port: 1105 (1105)
Remote Procedure Call
Continuation data
0000 00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00 .@.6......+...E.
0010 00 38 f1 5d 00 00 1e 11 28 6a c0 a8 00 ce c0 a8 .8.]....(j......
0020 00 cf 02 f1 04 51 00 24 16 58 95 27 c9 f5 00 00 .....Q.$.X.'....
0030 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 ......
No. Time Source Destination Protocol Info
39 16.653000 192.168.0.207 192.168.0.206 RPC Continuation
Frame 39 (278 bytes on wire, 278 bytes captured)
Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)
Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)
User Datagram Protocol, Src Port: 1105 (1105), Dst Port: 753 (753)
Remote Procedure Call
Continuation data
0000 00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00 ....+..@.6....E.
0010 01 08 33 bc 00 00 80 11 83 3b c0 a8 00 cf c0 a8 ..3......;......
0020 00 ce 04 51 02 f1 00 f4 2b 9d df 38 f2 4e 00 00 ...Q....+..8.N..
0030 00 00 00 00 00 02 20 00 00 00 00 00 00 01 00 00 ...... .........
0040 00 3d 00 00 00 01 00 00 00 1c 47 15 17 9c 00 00 .=........G.....
0050 00 07 30 2e 30 2e 30 2e 30 00 00 00 42 f4 00 00 ..0.0.0.0...B...
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 12 f4 68 00 12 f4 64 00 12 f4 70 00 12 .....h...d...p..
0080 f4 6c 00 12 f4 78 00 12 f4 74 00 12 f4 80 00 12 .l...x...t......
0090 f4 7c 00 12 f4 88 00 12 f4 84 00 12 f4 90 00 12 .|..............
00a0 f4 8c 00 12 f4 98 00 12 f4 94 00 12 f4 a0 00 12 ................
00b0 f4 9c 00 12 f4 a8 00 12 f4 a4 00 12 f4 b0 00 12 ................
00c0 f4 ac 00 12 f4 b8 00 12 f4 b4 00 00 00 0f 30 35 ..............05
00d0 31 36 30 37 75 74 6d 6f 64 2e 6d 6f 64 00 00 00 1607utmod.mod...
00e0 00 14 43 6f 75 64 65 53 74 61 72 61 70 72 69 6f ..CoudeStaraprio
00f0 72 69 2e 64 61 74 00 00 00 0f 4c 65 6e 73 61 70 ri.dat....Lensap
0100 72 69 6f 72 69 2e 64 61 74 00 00 00 00 06 43 61 riori.dat.....Ca
0110 6d 65 72 61 00 00 mera..
No. Time Source Destination Protocol Info
40 16.695733 192.168.0.206 192.168.0.207 RPC Continuation
Frame 40 (70 bytes on wire, 70 bytes captured)
Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)
Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)
User Datagram Protocol, Src Port: 753 (753), Dst Port: 1105 (1105)
Remote Procedure Call
Continuation data
0000 00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00 .@.6......+...E.
0010 00 38 f1 5e 00 00 1e 11 28 69 c0 a8 00 ce c0 a8 .8.^....(i......
0020 00 cf 02 f1 04 51 00 24 a3 ed df 38 f2 4e 00 00 .....Q.$...8.N..
0030 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 ......
No. Time Source Destination Protocol Info
41 16.695955 192.168.0.207 192.168.0.206 RPC Continuation
Frame 41 (110 bytes on wire, 110 bytes captured)
Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)
Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)
User Datagram Protocol, Src Port: 1105 (1105), Dst Port: 753 (753)
Remote Procedure Call
Continuation data
0000 00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00 ....+..@.6....E.
0010 00 60 33 bd 00 00 80 11 83 e2 c0 a8 00 cf c0 a8 .`3.............
0020 00 ce 04 51 02 f1 00 4c a9 ab aa 0e 9e ae 00 00 ...Q...L........
0030 00 00 00 00 00 02 20 00 00 00 00 00 00 01 00 00 ...... .........
0040 00 66 00 00 00 01 00 00 00 1c 47 15 17 9c 00 00 .f........G.....
0050 00 07 30 2e 30 2e 30 2e 30 00 00 00 42 f4 00 00 ..0.0.0.0...B...
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
No. Time Source Destination Protocol Info
42 16.699807 192.168.0.206 192.168.0.207 RPC Continuation
Frame 42 (70 bytes on wire, 70 bytes captured)
Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)
Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)
User Datagram Protocol, Src Port: 753 (753), Dst Port: 1105 (1105)
Remote Procedure Call
Continuation data
0000 00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00 .@.6......+...E.
0010 00 38 f1 5f 00 00 1e 11 28 68 c0 a8 00 ce c0 a8 .8._....(h......
0020 00 cf 02 f1 04 51 00 24 2c b8 aa 0e 9e ae 00 00 .....Q.$,.......
0030 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 ......
No. Time Source Destination Protocol Info
43 16.699945 192.168.0.207 192.168.0.206 RPC Continuation
Frame 43 (110 bytes on wire, 110 bytes captured)
Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)
Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)
User Datagram Protocol, Src Port: 1105 (1105), Dst Port: 753 (753)
Remote Procedure Call
Continuation data
0000 00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00 ....+..@.6....E.
0010 00 60 33 be 00 00 80 11 83 e1 c0 a8 00 cf c0 a8 .`3.............
0020 00 ce 04 51 02 f1 00 4c 36 50 a9 91 12 88 00 00 ...Q...L6P......
0030 00 00 00 00 00 02 20 00 00 00 00 00 00 01 00 00 ...... .........
0040 00 65 00 00 00 01 00 00 00 1c 47 15 17 9c 00 00 .e........G.....
0050 00 07 30 2e 30 2e 30 2e 30 00 00 00 42 f4 00 00 ..0.0.0.0...B...
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
No. Time Source Destination Protocol Info
44 16.703687 192.168.0.206 192.168.0.207 RPC Continuation
Frame 44 (70 bytes on wire, 70 bytes captured)
Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)
Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)
User Datagram Protocol, Src Port: 753 (753), Dst Port: 1105 (1105)
Remote Procedure Call
Continuation data
0000 00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00 .@.6......+...E.
0010 00 38 f1 60 00 00 1e 11 28 67 c0 a8 00 ce c0 a8 .8.`....(g......
0020 00 cf 02 f1 04 51 00 24 a9 6b a9 91 12 88 00 00 .....Q.$.k......
0030 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 0f f0 ......
Raymond Balister
Sr. Software Engineer
L-3 Communications/Brashear
615 Epsilon Drive
Pittsburgh, PA 15238
412.967.7526
- Follow-Ups:
- Re: [Wireshark-users] ONC-RPC packet decoding
- From: raymond . balister
- Re: [Wireshark-users] ONC-RPC packet decoding
- Prev by Date: [Wireshark-users] Capture filter problem
- Next by Date: Re: [Wireshark-users] ONC-RPC packet decoding
- Previous by thread: Re: [Wireshark-users] Capture filter problem
- Next by thread: Re: [Wireshark-users] ONC-RPC packet decoding
- Index(es):