Wireshark-users: Re: [Wireshark-users] How is this DCERPC packet content interpreted?
It is padding.
The padding rules for NDR are somewhat complex but you can find all
about it in the DCE/RPC and NDR documentation.
Some recent MS interfaces also use NDR64 which again has slightly
different padding rules.
regards
ronnie sahlberg
On Fri, Feb 24, 2012 at 11:51 PM, rahul sharma <rahulatgslab@xxxxxxxxx> wrote:
> One more doubt. Please see the picture attached with the mail. Why is one
> byte left out without telling what it is??
> Its after the end of One Tower and before the starting of another tower...
>
>
> Thanks and Regards
> Rahul Sharma
>
>
> On Fri, Feb 24, 2012 at 12:42 PM, rahul sharma <rahulatgslab@xxxxxxxxx>
> wrote:
>>
>> Thank you Christian. Yup I got that.
>>
>> I have one more query. How do we read the protocol towers?? I know that
>> there are 5 columns and in 4 and 5, we have the port no. and IP address. But
>> suppose as per our previously attached PCAP file, when we have more than one
>> Towers, then what do the fields "Tower Array:", "Max Count", "Offset",
>> "Actual Count" signify and then they are also there for each subtower. How
>> to interpret it?? I couldn't find details about that in the DOC. Could
>> anyone help for this.
>>
>>
>> Thanks and Regards
>> Rahul Sharma
>>
>> On Thu, Feb 23, 2012 at 8:27 PM, Unuetzer, Christian (AMOS SE)
>> <christian.unuetzer@xxxxxxxxxx> wrote:
>>>
>>> Hi Rahul,
>>>
>>>
>>> there are two tower pointers with port# and IP addr!
>>> You can see the payload on the tcp level (for frame 1610 -- payload =240
>>> byte (see attached image as well))!
>>>
>>> Regards
>>> Christian
>>>
>>>
>>> __________________________________________
>>> Christian Unützer
>>>
>>>
>>>
>>> Allianz Managed Operations & Services SE
>>> ASIC Operations
>>> A-IT05NCV04 – Network Management & NZA-APA Services
>>> Gutenbergstraße 8
>>> 85774 Unterföhring, Germany
>>>
>>> Phone: +49 89 3800 18024
>>> Mobile: +49 89 8916304
>>> Fax: +49 89 3800 818024
>>> E-Mail: christian.unuetzer@xxxxxxxxxxx
>>>
>>>
>>>
>>>
>>>
>>> Allianz Managed Operations & Services SE: Vorsitzender des Aufsichtsrats
>>> / Chairman of the Supervisory Board: Dr. Christof Mascher. Vorstand / Board
>>> of Management: Sylvie Ouziel, Vorsitzende / Chairwoman; Dr. Rüdiger Schäfer,
>>> Dr. Ralf Schneider, Holger Werner (Stand / Release 02.2012). Sitz der
>>> Gesellschaft / Registered Office: München / Munich. Registergericht /
>>> Registration Court: München/Munich HRB 173 388. USt-Id-Nr./VAT ID Number: DE
>>> 815 001 893.
>>>
>>> Please note: This email and any files transmitted with it is intended
>>> only for the named recipients and may contain confidential and/or
>>> privileged information. If you are not the intended recipient, please do not
>>> read, copy, use or disclose the contents of this communication to others and
>>> notify the sender immediately. Then please delete the email and any copies
>>> of it. Thank you.
>>>
>>> P Please consider the environment before printing this e-mail.
>>>
>>>
>>>
>>> ________________________________
>>> Von: wireshark-users-bounces@xxxxxxxxxxxxx
>>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] Im Auftrag von rahul sharma
>>> Gesendet: Donnerstag, 23. Februar 2012 14:12
>>> An: wireshark-users@xxxxxxxxxxxxx
>>> Betreff: [Wireshark-users] How is this DCERPC packet content interpreted?
>>>
>>> Hi All,
>>>
>>> I have attached an image file and a pcap file with the packets captured.
>>> You can see the packets by applying the filter "dcerpc" and see for packet
>>> no. 1610. I am unable to get how to see the payload of MSRPC and get the
>>> port_no and IP_Address exchanged in that packet. I need to write a code
>>> which will work for all DCERPC packets. Do help me in understanding the
>>> basic protocol format of DCERPC.
>>>
>>> Thanks and Regards
>>> Rahul Sharma
>>>
>>>
>>> ___________________________________________________________________________
>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe