Wireshark-users: Re: [Wireshark-users] ONC-RPC packet decoding
Date: Wed, 17 Oct 2007 08:25:37 -0400

I was unable to find a solution after searching for several hours prior to posting.  Of course, just minutes after posting I found the answer.  Since it's a custom application I created my own program number in the user range.  If wireshark doesn't know the program number, it doesn't do the RPC decode, *unless* "Dissect unknown RPC program numbers" is checked in the preferences.  Now I can see both the request and replies.  Easy fix, not real obvious (to me) to find.

Raymond Balister
Sr. Software Engineer
L-3 Communications/Brashear
615 Epsilon Drive
Pittsburgh, PA  15238
412.967.7526



raymond.balister@xxxxxxxxxx
Sent by: wireshark-users-bounces@xxxxxxxxxxxxx

10/17/2007 08:08 AM

Please respond to
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>

To
wireshark-users@xxxxxxxxxxxxx
cc
Subject
[Wireshark-users] ONC-RPC packet decoding






I have an application that uses ONC-RPC.  When I capture the packets, all of them, request and replies, are marked as RPC continuation data.  I can see that the complete request is in the data, but wireshark seems to be unable to decode them.  I've included several packets below.  These are all requests.  At this point, if all I get is the requests to decode properly that will be a big help.



No.     Time        Source                Destination           Protocol Info

    33 16.626639   192.168.0.207         192.168.0.206         Portmap  V2 GETPORT Call (Reply In 34) Unknown(536870912) V:1 UDP


Frame 33 (98 bytes on wire, 98 bytes captured)

Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)

Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)

User Datagram Protocol, Src Port: 1104 (1104), Dst Port: sunrpc (111)

Remote Procedure Call, Type:Call XID:0xca9ac415

   XID: 0xca9ac415 (3399140373)

   Message Type: Call (0)

   RPC Version: 2

   Program: Portmap (100000)

   Program Version: 2

   Procedure: GETPORT (3)

   The reply to this request is in frame 34

   Credentials

   Verifier

Portmap GETPORT Call Unknown(536870912) Version:1 UDP


0000  00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00   ....+..@.6....E.

0010  00 54 33 b9 00 00 80 11 83 f2 c0 a8 00 cf c0 a8   .T3.............

0020  00 ce 04 50 00 6f 00 40 0c eb ca 9a c4 15 00 00   ...P.o.@........

0030  00 00 00 00 00 02 00 01 86 a0 00 00 00 02 00 00   ................

0040  00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0050  00 00 20 00 00 00 00 00 00 01 00 00 00 11 78 00   .. ...........x.

0060  bd 6a                                             .j


No.     Time        Source                Destination           Protocol Info

    34 16.629790   192.168.0.206         192.168.0.207         Portmap  V2 GETPORT Reply (Call In 33) Port:753


Frame 34 (70 bytes on wire, 70 bytes captured)

Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)

Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)

User Datagram Protocol, Src Port: sunrpc (111), Dst Port: 1104 (1104)

Remote Procedure Call, Type:Reply XID:0xca9ac415

   XID: 0xca9ac415 (3399140373)

   Message Type: Reply (1)

   Program: Portmap (100000)

   Program Version: 2

   Procedure: GETPORT (3)

   Reply State: accepted (0)

   This is a reply to a request in frame 33

   Time from request: 0.003151000 seconds

   Verifier

   Accept State: RPC executed successfully (0)

Portmap GETPORT Reply Port:753 Port:753


0000  00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00   .@.6......+...E.

0010  00 38 f1 5b 00 00 1e 11 28 6c c0 a8 00 ce c0 a8   .8.[....(l......

0020  00 cf 00 6f 04 50 00 24 e6 56 ca 9a c4 15 00 00   ...o.P.$.V......

0030  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0040  00 00 00 00 02 f1                                 ......


No.     Time        Source                Destination           Protocol Info

    35 16.630559   192.168.0.207         192.168.0.206         RPC      Continuation


Frame 35 (94 bytes on wire, 94 bytes captured)

Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)

Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)

User Datagram Protocol, Src Port: 1105 (1105), Dst Port: 753 (753)

Remote Procedure Call

   Continuation data


0000  00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00   ....+..@.6....E.

0010  00 50 33 ba 00 00 80 11 83 f5 c0 a8 00 cf c0 a8   .P3.............

0020  00 ce 04 51 02 f1 00 3c df c5 78 f2 15 23 00 00   ...Q...<..x..#..

0030  00 00 00 00 00 02 20 00 00 00 00 00 00 01 00 00   ...... .........

0040  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0050  00 00 00 00 00 03 74 63 73 00 00 00 00 00         ......tcs.....


No.     Time        Source                Destination           Protocol Info

    36 16.643718   192.168.0.206         192.168.0.207         RPC      Continuation


Frame 36 (70 bytes on wire, 70 bytes captured)

Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)

Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)

User Datagram Protocol, Src Port: 753 (753), Dst Port: 1105 (1105)

Remote Procedure Call

   Continuation data


0000  00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00   .@.6......+...E.

0010  00 38 f1 5c 00 00 1e 11 28 6b c0 a8 00 ce c0 a8   .8.\....(k......

0020  00 cf 02 f1 04 51 00 24 a4 6b 78 f2 15 23 00 00   .....Q.$.kx..#..

0030  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0040  00 00 00 00 42 f4                                 ....B.


No.     Time        Source                Destination           Protocol Info

    37 16.644900   192.168.0.207         192.168.0.206         RPC      Continuation


Frame 37 (182 bytes on wire, 182 bytes captured)

Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)

Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)

User Datagram Protocol, Src Port: 1105 (1105), Dst Port: 753 (753)

Remote Procedure Call

   Continuation data


0000  00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00   ....+..@.6....E.

0010  00 a8 33 bb 00 00 80 11 83 9c c0 a8 00 cf c0 a8   ..3.............

0020  00 ce 04 51 02 f1 00 94 68 4c 95 27 c9 f5 00 00   ...Q....hL.'....

0030  00 00 00 00 00 02 20 00 00 00 00 00 00 01 00 00   ...... .........

0040  00 3c 00 00 00 01 00 00 00 1c 47 15 17 9c 00 00   .<........G.....

0050  00 07 30 2e 30 2e 30 2e 30 00 00 00 42 f4 00 00   ..0.0.0.0...B...

0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12   ................

0070  f3 f4 00 12 f3 f0 00 12 f3 fc 00 12 f3 f8 00 12   ................

0080  f4 04 00 12 f4 00 00 12 f4 0c 00 12 f4 08 00 12   ................

0090  f4 14 00 12 f4 10 00 12 f4 1c 00 12 f4 18 00 12   ................

00a0  f4 24 00 12 f4 20 00 12 f4 2c 00 12 f4 28 00 12   .$... ...,...(..

00b0  f4 34 00 12 f4 30                                 .4...0


No.     Time        Source                Destination           Protocol Info

    38 16.652715   192.168.0.206         192.168.0.207         RPC      Continuation


Frame 38 (70 bytes on wire, 70 bytes captured)

Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)

Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)

User Datagram Protocol, Src Port: 753 (753), Dst Port: 1105 (1105)

Remote Procedure Call

   Continuation data


0000  00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00   .@.6......+...E.

0010  00 38 f1 5d 00 00 1e 11 28 6a c0 a8 00 ce c0 a8   .8.]....(j......

0020  00 cf 02 f1 04 51 00 24 16 58 95 27 c9 f5 00 00   .....Q.$.X.'....

0030  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0040  00 00 00 00 00 00                                 ......


No.     Time        Source                Destination           Protocol Info

    39 16.653000   192.168.0.207         192.168.0.206         RPC      Continuation


Frame 39 (278 bytes on wire, 278 bytes captured)

Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)

Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)

User Datagram Protocol, Src Port: 1105 (1105), Dst Port: 753 (753)

Remote Procedure Call

   Continuation data


0000  00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00   ....+..@.6....E.

0010  01 08 33 bc 00 00 80 11 83 3b c0 a8 00 cf c0 a8   ..3......;......

0020  00 ce 04 51 02 f1 00 f4 2b 9d df 38 f2 4e 00 00   ...Q....+..8.N..

0030  00 00 00 00 00 02 20 00 00 00 00 00 00 01 00 00   ...... .........

0040  00 3d 00 00 00 01 00 00 00 1c 47 15 17 9c 00 00   .=........G.....

0050  00 07 30 2e 30 2e 30 2e 30 00 00 00 42 f4 00 00   ..0.0.0.0...B...

0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0070  00 00 00 12 f4 68 00 12 f4 64 00 12 f4 70 00 12   .....h...d...p..

0080  f4 6c 00 12 f4 78 00 12 f4 74 00 12 f4 80 00 12   .l...x...t......

0090  f4 7c 00 12 f4 88 00 12 f4 84 00 12 f4 90 00 12   .|..............

00a0  f4 8c 00 12 f4 98 00 12 f4 94 00 12 f4 a0 00 12   ................

00b0  f4 9c 00 12 f4 a8 00 12 f4 a4 00 12 f4 b0 00 12   ................

00c0  f4 ac 00 12 f4 b8 00 12 f4 b4 00 00 00 0f 30 35   ..............05

00d0  31 36 30 37 75 74 6d 6f 64 2e 6d 6f 64 00 00 00   1607utmod.mod...

00e0  00 14 43 6f 75 64 65 53 74 61 72 61 70 72 69 6f   ..CoudeStaraprio

00f0  72 69 2e 64 61 74 00 00 00 0f 4c 65 6e 73 61 70   ri.dat....Lensap

0100  72 69 6f 72 69 2e 64 61 74 00 00 00 00 06 43 61   riori.dat.....Ca

0110  6d 65 72 61 00 00                                 mera..


No.     Time        Source                Destination           Protocol Info

    40 16.695733   192.168.0.206         192.168.0.207         RPC      Continuation


Frame 40 (70 bytes on wire, 70 bytes captured)

Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)

Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)

User Datagram Protocol, Src Port: 753 (753), Dst Port: 1105 (1105)

Remote Procedure Call

   Continuation data


0000  00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00   .@.6......+...E.

0010  00 38 f1 5e 00 00 1e 11 28 69 c0 a8 00 ce c0 a8   .8.^....(i......

0020  00 cf 02 f1 04 51 00 24 a3 ed df 38 f2 4e 00 00   .....Q.$...8.N..

0030  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0040  00 00 00 00 00 00                                 ......


No.     Time        Source                Destination           Protocol Info

    41 16.695955   192.168.0.207         192.168.0.206         RPC      Continuation


Frame 41 (110 bytes on wire, 110 bytes captured)

Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)

Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)

User Datagram Protocol, Src Port: 1105 (1105), Dst Port: 753 (753)

Remote Procedure Call

   Continuation data


0000  00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00   ....+..@.6....E.

0010  00 60 33 bd 00 00 80 11 83 e2 c0 a8 00 cf c0 a8   .`3.............

0020  00 ce 04 51 02 f1 00 4c a9 ab aa 0e 9e ae 00 00   ...Q...L........

0030  00 00 00 00 00 02 20 00 00 00 00 00 00 01 00 00   ...... .........

0040  00 66 00 00 00 01 00 00 00 1c 47 15 17 9c 00 00   .f........G.....

0050  00 07 30 2e 30 2e 30 2e 30 00 00 00 42 f4 00 00   ..0.0.0.0...B...

0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00         ..............


No.     Time        Source                Destination           Protocol Info

    42 16.699807   192.168.0.206         192.168.0.207         RPC      Continuation


Frame 42 (70 bytes on wire, 70 bytes captured)

Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)

Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)

User Datagram Protocol, Src Port: 753 (753), Dst Port: 1105 (1105)

Remote Procedure Call

   Continuation data


0000  00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00   .@.6......+...E.

0010  00 38 f1 5f 00 00 1e 11 28 68 c0 a8 00 ce c0 a8   .8._....(h......

0020  00 cf 02 f1 04 51 00 24 2c b8 aa 0e 9e ae 00 00   .....Q.$,.......

0030  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0040  00 00 00 00 00 00                                 ......


No.     Time        Source                Destination           Protocol Info

    43 16.699945   192.168.0.207         192.168.0.206         RPC      Continuation


Frame 43 (110 bytes on wire, 110 bytes captured)

Ethernet II, Src: AniCommu_36:bc:86 (00:40:05:36:bc:86), Dst: Portwell_08:2b:ad (00:90:fb:08:2b:ad)

Internet Protocol, Src: 192.168.0.207 (192.168.0.207), Dst: 192.168.0.206 (192.168.0.206)

User Datagram Protocol, Src Port: 1105 (1105), Dst Port: 753 (753)

Remote Procedure Call

   Continuation data


0000  00 90 fb 08 2b ad 00 40 05 36 bc 86 08 00 45 00   ....+..@.6....E.

0010  00 60 33 be 00 00 80 11 83 e1 c0 a8 00 cf c0 a8   .`3.............

0020  00 ce 04 51 02 f1 00 4c 36 50 a9 91 12 88 00 00   ...Q...L6P......

0030  00 00 00 00 00 02 20 00 00 00 00 00 00 01 00 00   ...... .........

0040  00 65 00 00 00 01 00 00 00 1c 47 15 17 9c 00 00   .e........G.....

0050  00 07 30 2e 30 2e 30 2e 30 00 00 00 42 f4 00 00   ..0.0.0.0...B...

0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00         ..............


No.     Time        Source                Destination           Protocol Info

    44 16.703687   192.168.0.206         192.168.0.207         RPC      Continuation


Frame 44 (70 bytes on wire, 70 bytes captured)

Ethernet II, Src: Portwell_08:2b:ad (00:90:fb:08:2b:ad), Dst: AniCommu_36:bc:86 (00:40:05:36:bc:86)

Internet Protocol, Src: 192.168.0.206 (192.168.0.206), Dst: 192.168.0.207 (192.168.0.207)

User Datagram Protocol, Src Port: 753 (753), Dst Port: 1105 (1105)

Remote Procedure Call

   Continuation data


0000  00 40 05 36 bc 86 00 90 fb 08 2b ad 08 00 45 00   .@.6......+...E.

0010  00 38 f1 60 00 00 1e 11 28 67 c0 a8 00 ce c0 a8   .8.`....(g......

0020  00 cf 02 f1 04 51 00 24 a9 6b a9 91 12 88 00 00   .....Q.$.k......

0030  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0040  00 00 00 00 0f f0                                 ......


Raymond Balister
Sr. Software Engineer
L-3 Communications/Brashear
615 Epsilon Drive
Pittsburgh, PA  15238
412.967.7526
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users