tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

DCERPC

From: Andrej van der Zee <andrejvanderzee () gmail com>
Date: Wed, 13 Apr 2011 22:21:52 +0900
Hi,

I wrote a sniffer using libpcap that re-assembles TCP streams to
enable HTTP request/response re-assembly. It works fine except when
DCERPC-packets are found in the middle of a data-transfer between an
HTTP client and server (example of such a DCERPC-packet see below,
captured with Wireshark). Why do these packets show up (not often
though) in the middle of an HTTP stream? How can I recognize these
packets using libpcap?

Thank you,
Andrej


Frame 461 (11282 bytes on wire, 11282 bytes captured)
    Arrival Time: Apr 13, 2011 21:54:10.076378000
    [Time delta from previous captured frame: 0.000029000 seconds]
    [Time delta from previous displayed frame: 0.000029000 seconds]
    [Time since reference or first frame: 34.142183000 seconds]
    Frame Number: 461
    Frame Length: 11282 bytes
    Capture Length: 11282 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp:http:dcerpc]
    [Coloring Rule Name: Checksum Errors]
    [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1
|| ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 ||
mstp.checksum_bad==1]
Ethernet II, Src: Dell_99:6d:be (b8:ac:6f:99:6d:be), Dst:
All-HSRP-routers_12 (00:00:0c:07:ac:12)
Internet Protocol, Src: 85.17.148.22 (85.17.148.22), Dst:
175.105.93.20 (175.105.93.20)
Transmission Control Protocol, Src Port: http (80), Dst Port: 53444
(53444), Seq: 1885021513, Ack: 2538648414, Len: 11216
Hypertext Transfer Protocol
DCE RPC Request, Fragment: Mid, FragLen: 5, Call: 2236416
    Version: 5
    Version (minor): 0
    Packet type: Request (0)
    Packet Flags: 0x00
        0... .... = Object: Not set
        .0.. .... = Maybe: Not set
        ..0. .... = Did Not Execute: Not set
        ...0 .... = Multiplex: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Cancel Pending: Not set
        .... ..0. = Last Frag: Not set
        .... ...0 = First Frag: Not set
    Data Representation: 00000000
        Byte order: Big-endian (0)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 5
    Auth Length: 16400
    Call ID: 2236416
[Unreassembled Packet [incorrect TCP checksum]: DCERPC]
    [Expert Info (Warn/Reassemble): Unreassembled Packet (Exception occurred)]
        [Message: Unreassembled Packet (Exception occurred)]
        [Severity level: Warn]
        [Group: Reassemble]
[DCE RPC: 11211 bytes left, desegmentation might follow]
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: