On Dec 19, 2011, at 5:43 PM, Andrej van der Zee wrote:
> I was wondering how Wireshark detects DCERPC over TCP. I was under the
> impression that Wireshark uses fixed TCP port numbers for this.
Nope.
The DCE RPC dissector, like the ONC RPC dissector, and a number of other dissectors, is a "heuristic" dissector. They're both registered as heuristic dissectors for TCP and UDP, meaning that (depending on TCP and UDP protocol settings) they are either called for all TCP segments and UDP packets and offered the opportunity to "claim" the packets, or are called for all TCP segments and UDP packets for which no dissector has been found based on the port number and offered the opportunity to "claim" the packets.
Heuristic dissectors look at the data handed to them and try to determine whether it's a packet for their protocol or not, and:
if so, dissect the packet and return TRUE, indicating that they've claimed it (so no other dissectors will be handed the packet);
if not, return FALSE, so that some other dissector can possibly handle it.
As one might expect, there's no guarantee that a heuristic dissector will make the correct determination - they might incorrectly identify a packet as being for their protocol or incorrectly *fail* to identify a packet as being for their protocol.