Title: Please help decode DCERPC packets between W2K, a DC, and an Exchange Server
Hi all. We're trying to figure out why Outlook periodically freezes on the machines in our department (my company uses Exchange Server - either 2000 or 2003). So I set up Wireshark to record data to two one-megabyte files in a ring - it has been running for days now.
Today, I had a freeze-up, so I opened up a second Wireshark and peeked inside the newest log file. My Outlook and Exchange appear to be just peachy keen one moment:
#3108
89.038216
Source <my IP>
Destination <exchange svr IP>
DCERPC Request: call_id:417 opnum: 11 ctx_id: 0
#3109
89.039143
Source <exchange svr IP>
Destination <my IP>
DCERPC Response: call_id:417 opnum: 11
And shortly thereafter:
#3145
90.803519
Source <my IP>
Destination <the company's domain controller>
DCERPC Request: call_id: 3 opnum: 12 ctx_id: 0
(note: I log into the company domain, but my computer is a member of a department domain, and that department domain trusts my company's domain)
#3171, #3238, #3371, #3447, and #3576 are all TCP Retransmissions of #3145
Finally, a TCP SYN command occurs (I've seen it in the past, but I set up too small of a log file size) occurs and everything seems to kick back into gear.
Any ideas?
What's also weird is that on the call to the company domain controller includes a line in the DCE RPC Request description: "[No bind info for this interface Context ID - capture start too late?]"
What does this mean?
