Wireshark mailing list archives
Re: DCERPC over TCP
From: Bill Meier <wmeier () newsguy com>
Date: Mon, 19 Dec 2011 21:20:49 -0500
On 12/19/2011 8:43 PM, Andrej van der Zee wrote:
Hi, I was wondering how Wireshark detects DCERPC over TCP. I was under the impression that Wireshark uses fixed TCP port numbers for this. But I am looking at a TCP stream that, right after the connection is established on TCP port 1207, shows DCERPC packets. Although TCP port 1207 is an IANA registered port for "metasaga", Googling for it doesn't give me much. So now I am doubting if Wireshark really uses fixed port numbers for DCERPC over TCP, and if so, where can I find the list of port numbers it uses (there is no input field in Wireshark's Preferences as there is for HTTP)?
The dcerpc dissector registers itself as a TCP heuristic dissector (among other registrations).
This means that when/if called by the tcp dissector, the dcerpc dissector looks at the data handed to it to determine if the data looks like dcerpc.
See the epan/dissectors/packet-dcerpc.c for the exact details if you're interested.
Note that the TCP dissector has a preference to:"Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port",
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- DCERPC over TCP Andrej van der Zee (Dec 19)
- Re: DCERPC over TCP Guy Harris (Dec 19)
- Re: DCERPC over TCP Bill Meier (Dec 19)
- Re: DCERPC over TCP Andrej van der Zee (Dec 19)
- Re: DCERPC over TCP Andrej van der Zee (Dec 26)
- Re: DCERPC over TCP Chris Maynard (Dec 27)
- Re: DCERPC over TCP Guy Harris (Dec 27)
- Re: DCERPC over TCP Andrej van der Zee (Dec 27)