> > ...which means "port 111 or 2049" won't work as a way to identify RPC
> > requests; the heuristic I used in another program was:
> stuff deleted: CALL/RPC version/known RPC program number or REPLY/XID
> This is the method tcpdump uses for the dissection. It is the right way.
It uses that for dissection, but it doesn't use that to *recognize* RPC
requests - it only checks for ports 111 and 2049, which works *only* for
portmapper/rpcbind and NFS.
> The other RPC services (YP, mount, lock etc.) dont have a fixed port, so the
> best way is to use the heuristic method
...which, once it's implemented, recognizes portmapper/rpcbind and NFS
as well as the others, so there's no need to handle 111 or 2049
specially.
> or even better, remember the replies from portmapper
> getport/getaddr/dump.
Which works only if there *are* replies from the portmapper in the
capture; that's not always the case in captures one needs to look at
(and if you do the heuristics, you don't need that).
> Thanks for the hint but allow me a short note: I work full time on the NFS
> implementation for ReliantUNIX. I know RPC.
Yes - the comments were "for the record" (and for folks not familiar
with ONC RPC).
