I need to compare connection session of 2 OPC DA clients connecting to a remote server. Under the hood they uses DCOM and DCE RPC. Fortunately, WireShark provides dcerpc dissector, but it doesn't decode stub data.
Asked
Active
Viewed 1,723 times
1 Answers
2
I don't think it can. NDR (the data format used by DCE RPC) is not "self-describing" – there's nothing in the payload that would distinguish an int32 from a float from a uint8[4]. This means Wireshark needs a specific sub-dissector for each interface that it needs to dissect (e.g. it has individual dissectors for the various Active Directory MS-RPC interfaces), recognizing them by looking at the UUID in the 'Bind' packet.
In this case it seems that although Wireshark has a partial dissector for IOXIDResolver (packet-dcom-oxid.c), it only supports dissecting the response of RPC opnum 5 (apparently 'ServerAlive2') but not the request, so it leaves the remaining payload as raw data.
grawity
- 501,077