tcpdump mailing list archives
DCERPC
From: Andrej van der Zee <andrejvanderzee () gmail com>
Date: Wed, 13 Apr 2011 22:21:52 +0900
Hi, I wrote a sniffer using libpcap that re-assembles TCP streams to enable HTTP request/response re-assembly. It works fine except when DCERPC-packets are found in the middle of a data-transfer between an HTTP client and server (example of such a DCERPC-packet see below, captured with Wireshark). Why do these packets show up (not often though) in the middle of an HTTP stream? How can I recognize these packets using libpcap? Thank you, Andrej Frame 461 (11282 bytes on wire, 11282 bytes captured) Arrival Time: Apr 13, 2011 21:54:10.076378000 [Time delta from previous captured frame: 0.000029000 seconds] [Time delta from previous displayed frame: 0.000029000 seconds] [Time since reference or first frame: 34.142183000 seconds] Frame Number: 461 Frame Length: 11282 bytes Capture Length: 11282 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp:http:dcerpc] [Coloring Rule Name: Checksum Errors] [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || mstp.checksum_bad==1] Ethernet II, Src: Dell_99:6d:be (b8:ac:6f:99:6d:be), Dst: All-HSRP-routers_12 (00:00:0c:07:ac:12) Internet Protocol, Src: 85.17.148.22 (85.17.148.22), Dst: 175.105.93.20 (175.105.93.20) Transmission Control Protocol, Src Port: http (80), Dst Port: 53444 (53444), Seq: 1885021513, Ack: 2538648414, Len: 11216 Hypertext Transfer Protocol DCE RPC Request, Fragment: Mid, FragLen: 5, Call: 2236416 Version: 5 Version (minor): 0 Packet type: Request (0) Packet Flags: 0x00 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..0. = Last Frag: Not set .... ...0 = First Frag: Not set Data Representation: 00000000 Byte order: Big-endian (0) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 5 Auth Length: 16400 Call ID: 2236416 [Unreassembled Packet [incorrect TCP checksum]: DCERPC] [Expert Info (Warn/Reassemble): Unreassembled Packet (Exception occurred)] [Message: Unreassembled Packet (Exception occurred)] [Severity level: Warn] [Group: Reassemble] [DCE RPC: 11211 bytes left, desegmentation might follow] - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- DCERPC Andrej van der Zee (Apr 13)
- Re: DCERPC rixed (Apr 18)