Wireshark-dev: Re: [Wireshark-dev] decoding Remote Desktop Protocol
From: "DePriest, Jason R." <[email protected]>
Date: Wed, 24 Oct 2007 15:55:27 -0500
What I have found is that Microsoft's Netmon 3.1 has some "parsers"
for parts of RDP.

The parser files seem to be chained so that you can't get to RDP
without going through TCP first.  The TCP filter has a case statement
that tells it where to look next, I think.

It breaks down the different parts of the RDP communication as: RDP,
TCP, X224, and T125.
The only real dissector is X224.  The others (beside TCP which handles
the headers and the rest is just 'data') just look like placeholders
(called Stub Parsers).

The RDP file actually has a couple of things in it, but not much.

The comments section in the X224 parser references ISO 8073 and ITU
X224, neither of which I could find an ASN.1 reference for.

The parser files are plain-text with no sort of licensing information
in them.  How likely is it that I would get in trouble for posting
them to this list?  I'll do some more reading before venturing into

If you are interested, just go download and install Microsoft Network
Monitor 3.1 (http://blogs.technet.com/netmon/archive/2007/07/02/network-monitor-3-1-has-released.aspx
for info or http://www.microsoft.com/downloads/details.aspx?familyid=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&displaylang=en
to just download) and look in the \Program Files\Microsoft Network
Monitor 3\NPL directory.

There are also stub parser files for a bunch of sub-pieces of RPD that
I guess the RDP parser would reference in a case statement of its own.
RDPPnp - Plug and Play Devices Virtual Channel
RDPXps - XML Paper Specification (XPS) Print Virtual Channel
RDPDyc - Dynamic Channel Virtual Channel
RDPCr - Composited Remoting Protocol


On 10/24/07, ronnie sahlberg <> wrote:
> I think RDP is just using T.126 with some extra extensions.
> As far as I recall it is using the old legacy encoding and not ASN PER.
> I did find some documentation about this a long time ago but never had
> any traces/nor real interest in implementing it.
> It should be possible to find the T.126 family as well as the old
> legacy encoding through google.
> (the old legacy encoding means the dissector has to be written by hand
> since asn2wrs can not be used)
> On 10/25/07, DePriest, Jason R. <> wrote:
> > After Tenable announced that they are going to have operating system
> > detection based on Remote Desktop fingerprinting available to Direct
> > Feed customers (http://blog.tenablesecurity.com/2007/10/windows-operati.html),
> > I thought it would be great to figure out how they are doing that.
> >
> > Unfortunately, I can't seem to locate any good technical documentation
> > on how RDP does what it does.
> >
> > I considered looking at the linux programs that use it (rdesktop) and
> > trying to read their code, but I don't write code myself so it would
> > be hit or miss.
> >
> > RDP is Microsoft's baby and I don't know where to look for in depth docs on it.
> >
> > Does anyone have a link or two to some helpful stuff that would help
> > me break the code?  Or will I just need to figure it the hard way?
> >
> > Thanks!
> >
> > -Jason