Wireshark · Wireshark-users: Re: [Wireshark-users] Is this normal?

Wireshark-users: Re: [Wireshark-users] Is this normal?

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Tue, 31 Mar 2009 11:03:45 -0700


On Mar 31, 2009, at 9:59 AM, Peter Hartmann wrote:

Hi, I've noticed quite a bit of broadcast traffic like this and am
wondering if this is normal in an MS domain.  What do you think?


3	0.265561	10.3.85.104	255.255.255.255	DCERPC	Request: seq: 0 opnum:
18264 len: 12599 00000000-0a03-5568-0011-43c586f40000 V0
9	1.469157	10.3.85.116	255.255.255.255	DCERPC	Request: seq: 0 opnum:
18264 len: 12593 00000000-0a03-5574-0012-3f84a4620000 V0
6	1.325521	10.3.85.62	255.255.255.255	DCERPC	Request: seq: 0 opnum:
18264 len: 0 00000000-0a03-553e-00b0-d060db100000 V0
7	1.386135	10.3.85.127	255.255.255.255	DCERPC	Request: seq: 0 opnum:
18264 len: 12598 00000000-0a03-557f-0011-43c2f31b0000 V0

That might be traffic that's not DCE RPC traffic but that Wireshark'sheuristic identifies as DCE RPC traffic. (There is no perfectheuristic to determine whether something is DCE RPC traffic or not.)

Try disabling the DCERPC dissector, and see what Wireshark thinks thetraffic is.

References:
- [Wireshark-users] Is this normal?
  - From: Peter Hartmann

Prev by Date: [Wireshark-users] Is this normal?
Next by Date: [Wireshark-users] Comparing Ingress and Egress PCAPs - How?
Previous by thread: [Wireshark-users] Is this normal?
Next by thread: Re: [Wireshark-users] Is this normal?
Index(es):
- Date
- Thread