Ethereal-dev: Re: [Ethereal-dev] [patch] spoolss updates

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Todd Sabin <tsabin@xxxxxxxxxxxxx>
Date: 17 Feb 2002 12:54:47 -0500
Tim Potter <tpot@xxxxxxxxx> writes:
> SPOOLSS and WINREG dissectors.  I would also like to rename the
> packet-dcerpc-nt.{c,h} files to packet-dcerpc-smb.{c,h} as it's a more
> appropriate name.

Actually, it's not.  I.e., SMB is less accurate than NT, at least for
the NDR/DCERPC part of things.  You typically see samr, lsarpc,
netlogon, and the rest done over SMB (the ncacn_np protocol sequence),
but they really have nothing to do with SMB, per se.  E.g., I sent
Ronnie and Guy a trace of SAMR traffic going over UDP---no SMB at all.
In some non-default cases, you can even do SAMR traffic over port 80.
MS calls it ncacn_http, but it's really nothing more than ncacn_ip_tcp
proxied by IIS.  See

http://razor.bindview.com/tools/desc/rpctools1.0-readme.html

You can also do things like SAMR traffic over the \lsarpc pipe (and
vice versa), and a number of other things that MS's clients don't
typically do.


Todd