Wireshark-users: [Wireshark-users] Please help decode DCERPC packets between W2K, a DC, and an Ex

From: "Schlesinger, Philip" <pschlesinger@xxxxxxxxxxx>
Date: Thu, 17 Aug 2006 15:55:44 -0700
Title: Please help decode DCERPC packets between W2K, a DC, and an Exchange Server

Hi all.  We're trying to figure out why Outlook periodically freezes on the machines in our department (my company uses Exchange Server - either 2000 or 2003).  So I set up Wireshark to record data to two one-megabyte files in a ring - it has been running for days now. 

Today, I had a freeze-up, so I opened up a second Wireshark and peeked inside the newest log file.  My Outlook and Exchange appear to be just peachy keen one moment:

Source <my IP>
Destination <exchange svr IP>
DCERPC Request: call_id:417 opnum: 11 ctx_id: 0

Source <exchange svr IP>
Destination <my IP>
DCERPC Response: call_id:417 opnum: 11

And shortly thereafter:

Source <my IP>
Destination <the company's domain controller>
DCERPC Request: call_id: 3 opnum: 12 ctx_id: 0
(note: I log into the company domain, but my computer is a member of a department domain, and that department domain trusts my company's domain)

#3171, #3238, #3371, #3447, and #3576 are all TCP Retransmissions of #3145

Finally, a TCP SYN command occurs (I've seen it in the past, but I set up too small of a log file size) occurs and everything seems to kick back into gear. 

Any ideas?

What's also weird is that on the call to the company domain controller includes a line in the DCE RPC Request description: "[No bind info for this interface Context ID - capture start too late?]" 

What does this mean?