Re: DCERPC over TCP

[Guy Harris <guy () alum mit edu>]

On Dec 19, 2011, at 5:43 PM, Andrej van der Zee wrote:

> I was wondering how Wireshark detects DCERPC over TCP. I was under the
> impression that Wireshark uses fixed TCP port numbers for this.

Nope.

The DCE RPC dissector, like the ONC RPC dissector, and a number of other dissectors, is a "heuristic" dissector.  
They're both registered as heuristic dissectors for TCP and UDP, meaning that (depending on TCP and UDP protocol 
settings) they are either called for all TCP segments and UDP packets and offered the opportunity to "claim" the 
packets, or are called for all TCP segments and UDP packets for which no dissector has been found based on the port 
number and offered the opportunity to "claim" the packets.

Heuristic dissectors look at the data handed to them and try to determine whether it's a packet for their protocol or 
not, and:

        if so, dissect the packet and return TRUE, indicating that they've claimed it (so no other dissectors will be 
handed the packet);

        if not, return FALSE, so that some other dissector can possibly handle it.

As one might expect, there's no guarantee that a heuristic dissector will make the correct determination - they might 
incorrectly identify a packet as being for their protocol or incorrectly *fail* to identify a packet as being for their 
protocol.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe