Wireshark-users: Re: [Wireshark-users] DCERPC over TCP
From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Mon, 19 Dec 2011 21:20:49 -0500
On 12/19/2011 8:43 PM, Andrej van der Zee wrote:
Hi,

I was wondering how Wireshark detects DCERPC over TCP. I was under the
impression that Wireshark uses fixed TCP port numbers for this. But I
am looking at a TCP stream that, right after the connection is
established on TCP port 1207, shows DCERPC packets. Although TCP port
1207 is an IANA registered port for "metasaga", Googling for it
doesn't give me much. So now I am doubting if Wireshark really uses
fixed port numbers for DCERPC over TCP, and if so, where can I find
the list of port numbers it uses (there is no input field in
Wireshark's Preferences as there is for HTTP)?



The dcerpc dissector registers itself as a TCP heuristic dissector (among other registrations).

This means that when/if called by the tcp dissector, the dcerpc dissector looks at the data handed to it to determine if the data looks like dcerpc.

See the epan/dissectors/packet-dcerpc.c for the exact details if you're interested.

Note that the TCP dissector has a preference to:

"Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port",