Re: How is this DCERPC packet content interpreted?

[ronnie sahlberg <ronniesahlberg () gmail com>]

It is padding.

The padding rules for NDR are somewhat complex but you can find all
about it in the DCE/RPC and NDR documentation.

Some recent MS interfaces also use NDR64 which again has slightly
different padding rules.


regards
ronnie sahlberg


On Fri, Feb 24, 2012 at 11:51 PM, rahul sharma <rahulatgslab () gmail com> wrote:
> One more doubt. Please see the picture attached with the mail. Why is one
> byte left out without telling what it is??
> Its after the end of One Tower and before the starting of another tower...
>
>
> Thanks and Regards
> Rahul Sharma
>
>
> On Fri, Feb 24, 2012 at 12:42 PM, rahul sharma <rahulatgslab () gmail com>
> wrote:
> > Thank you Christian. Yup I got that.
> >
> > I have one more query. How do we read the protocol towers?? I know that
> > there are 5 columns and in 4 and 5, we have the port no. and IP address. But
> > suppose as per our previously attached PCAP file, when we have more than one
> > Towers, then what do the fields "Tower Array:", "Max Count", "Offset",
> > "Actual Count" signify and then they are also there for each subtower. How
> > to interpret it?? I couldn't find details about that in the DOC. Could
> > anyone help for this.
> >
> >
> > Thanks and Regards
> > Rahul Sharma
> >
> > On Thu, Feb 23, 2012 at 8:27 PM, Unuetzer, Christian (AMOS SE)
> > <christian.unuetzer () allianz de> wrote:
> > > Hi Rahul,
> > >
> > >
> > > there are two tower pointers with port# and IP addr!
> > > You can see the payload on the tcp level (for frame 1610 -- payload =240
> > > byte (see attached image as well))!
> > >
> > > Regards
> > > Christian
> > >
> > >
> > > __________________________________________
> > > Christian Unützer
> > >
> > >
> > >
> > > Allianz Managed Operations & Services SE
> > > ASIC Operations
> > > A-IT05NCV04 – Network Management & NZA-APA Services
> > > Gutenbergstraße 8
> > > 85774 Unterföhring, Germany
> > >
> > > Phone:    +49 89 3800 18024
> > > Mobile:     +49 89 8916304
> > > Fax:          +49 89 3800 818024
> > > E-Mail:     christian.unuetzer () allianz com
> > >
> > >
> > >
> > >
> > >
> > > Allianz Managed Operations & Services SE: Vorsitzender des Aufsichtsrats
> > > / Chairman of the Supervisory Board: Dr. Christof Mascher. Vorstand / Board
> > > of Management: Sylvie Ouziel, Vorsitzende / Chairwoman; Dr. Rüdiger Schäfer,
> > > Dr. Ralf Schneider, Holger Werner (Stand / Release 02.2012). Sitz der
> > > Gesellschaft / Registered Office: München / Munich. Registergericht /
> > > Registration Court: München/Munich HRB 173 388. USt-Id-Nr./VAT ID Number: DE
> > > 815 001 893.
> > >
> > > Please note: This email and any files transmitted with it is intended
> > > only for the named recipients and may contain confidential and/or
> > > privileged information. If you are not the intended recipient, please do not
> > > read, copy, use or disclose the contents of this communication to others and
> > > notify the sender immediately. Then please delete the email and any copies
> > > of it. Thank you.
> > >
> > > P Please consider the environment before printing this e-mail.
> > >
> > >
> > >
> > > ________________________________
> > > Von: wireshark-users-bounces () wireshark org
> > > [mailto:wireshark-users-bounces () wireshark org] Im Auftrag von rahul sharma
> > > Gesendet: Donnerstag, 23. Februar 2012 14:12
> > > An: wireshark-users () wireshark org
> > > Betreff: [Wireshark-users] How is this DCERPC packet content interpreted?
> > >
> > > Hi All,
> > >
> > > I have attached an image file and a pcap file with the packets captured.
> > > You can see the packets by applying the filter "dcerpc" and see for packet
> > > no. 1610. I am unable to get how to see the payload of MSRPC and get the
> > > port_no and IP_Address exchanged in that packet. I need to write a code
> > > which will work for all DCERPC packets. Do help me in understanding the
> > > basic protocol format of DCERPC.
> > >
> > > Thanks and Regards
> > > Rahul Sharma
> > >
> > >
> > > ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >
> > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe