Wireshark-users: [Wireshark-users] Unable to properly dissect TCP RCP traffic

From: Aaron Gaudio <agaudio@xxxxxxxxxxxxxxxx>
Date: Tue, 01 May 2007 12:06:28 -0400

Hi all,

I'm trying to dissect traffic for a custom ONC RPC protocol. I don't
need anything fancy from wireshark, I'd just like to see the packets
involved as RPC packets so that I can see the RPC headers (rpc.program,
rpc.procedure, etc.). I'm reading the packets in from a Sun Snoop
format.

Wireshark never automatically detects any of my TCP RPC traffic as
such... they show up as normal TCP packets. If I choose to 'Decode
As..." and select RPC, only some of the packets show up as RPC, and all
of these are "Continuation Data"... in other words there are no useful
RPC structs parsed from it (which is probably correct, they are not the
first packet containing RPC data in the stream). The TCP packets which I
would expect represent the first packets in a procedure call are always
rendered as plain TCP traffic. 

This leaves it to me to decode the RPC information manually, which is
prohibitive.

Am I trying something obviously wrong, or does Wireshark not support RPC
over TCP properly? I've got a 13k communication session (not including
the initial portmap calls) between two hosts talking RPC, which is an
excerpt of the full 7 meg snoop input. I'm new to this list, so not sure
what the email attachment policies are, but I'll try to attach it.

--
Aaron Gaudio           agaudio @ eng.mc.xerox.com           585-422-6876

One of the pleasures of reading old letters is the knowledge that they
need no answer.
		-- George Gordon, Lord Byron

Attachment: wireshark_rcp_packets.snoop
Description: Binary data

Attachment: signature.asc
Description: This is a digitally signed message part