[ronnie sahlberg <ronniesahlberg@xxxxxxxxx>]

If HPOpenView is indeed using DCE/RPC
(i have only seen it use SNMP and ONC-RPC, never DCE/RPC) then
ethereal should automatically detect these packets as being DCE/RPC
already today.
Does it?

Ethereal will already today detect automatically all packets that are
DCE/RPC  and will decode already the DCE/RPC layer.
Ethereal will however NOT decode the protocol transported ontop of
DCERPC, instead it would show it as payload data inside the DCE/RPC
packet.

Does this traffic show up as DCE/RPC in ethereal?  It should if it is DCE/RPC.


I doubt it is DCE/RPC. Your customer might be mistaken.


It is very easy to spot whether some traffic is DCE/RPC or not. Can
you send me an example capture for such traffic?

If it is indeed DCE/RPC   or ONC-RPC  then in order to be able to
decode any of the data ontop the RPC layer  you would need to reverse
engineer that protocol and write an IDL for that protocol. Without an
IDL it is not possible to decode the data.


A simple method to find out if it DCE/RPC or not.
Is there any traffic to udp or tcp port 135 prior to the "DCE/RPC" traffic?
If there is no such traffic   it is not DCE/RPC.

Is there any traffic to tcp or udp port 111 prior to these commands?
If so it is ONC-RPC not DCE/RPC.



On 5/30/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> Hi Ronnie,
>  
> We are sure that HpOpenView uses DCE RPC for communicating between
> HpOpenView Manager (Client) 
> and N-Agents (Servers). This is what the customer is asking for.
>  
> What our customer is asking us to produce the DCE RPC packets which uses
> TCP/UDP specific port 
> number. ? Hence they ask us to determine the TCP/UDP port number and get the
> protocol data exchanged
> on those port numbers.
>  
> I understand that Client and Server Applications use RPC mechanism in which
> they exchage RPC Procedures with
> there set of parameters. The IDL is used to generate the RPC Procedures.
>  
> So you mean we need to know what RPC Procedures and parameters for these
> procedures are used by the
> protocol on the top of DCE/RPC.
>  
> Regards
>  
> Deepak Bhatia
> 
> ________________________________
> 
> From: ethereal-dev-bounces@xxxxxxxxxxxx on behalf of ronnie sahlberg
> Sent: Mon 5/30/2005 2:17 PM
> To: Bhatia, Deepak
> Cc: Ethereal development
> Subject: Re: [Ethereal-dev] Re: DCE RPC
> 
> 
> 
> Previously you said you wanted to replay recorded DCE command
> sequences, now you say you want to decode DCE packets for a certain
> DCE interface?
> 
> You do not want to add this as a decode/dissector module for ethereal?
> so to what tool/application do you plan to add this feature?
> 
> Anyway, if you change your mind and want to add decode of these
> packets to ethereal what you need to do is :
> 1, reverse engineer the protocol used ontop of DCE/RPC. I.e. not
> DCE/RPC  but the protocol used ontop of DCE/RPC
> 2, use the reverse engineered data and produce an IDL protocol
> interface description file.
> 3, use an idl compiler to compile the IDL definition into an ethereal
> decoder/dissector.
> 
> 
> I seriously doubt that HPOpenView is using DCE/RPC.
> 
> 
> On 5/30/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> > No we don't want to build a module for ethereal. We have an application
> called HP Openview
> > which uses application layer protocol DCE RPC to communicate.
> >
> > Now we have traces which are communication between HP Openview client
> (Network Manager)
> > and HP Openview server (Agents).
> >
> > Our plugin should be able to decode the DCE RPC protocol communication
> traces between
> > Network Manager and Agent.
> >
> > Regards
> >
> > Deepak Bhatia
> >
> > ________________________________
> >
> > From: ethereal-dev-bounces@xxxxxxxxxxxx on behalf of ronnie sahlberg
> > Sent: Mon 5/30/2005 1:31 PM
> > To: Bhatia, Deepak
> > Cc: Ethereal development
> > Subject: Re: [Ethereal-dev] Re: DCE RPC
> >
> >
> >
> > ok,
> >
> > so what you essentially want to do is
> > build a module for ethereal that can replay recorded DCERPC sequences
> > to a DCERPC server.
> >
> > I assume this is in order to replay DCERPC transactions between a host
> > running the
> > PSR application and either a windows host or a unix dce/dfs
> implementation.
> > (since these are the only widely used DCE implementations today in
> > existence (well unix dce/dfs is not exactly in wide use but anyway).
> >
> > This is virtually impossible.
> > In both cases  before you can issue or replay any commands whatsoever
> > to the DCE endpoint you must authenticate.
> > Authentication involved in both cases generation of GSS-KRB tokens
> > which is impossible unless you know the plaintext password or have
> > access to the (in case of dce/dfs) keytab file for the host).
> >
> > GSS-KRB has replay protection so it is just not possible to replay a
> > captured authentication token. GSS-KRB would be pointless if it didnt.
> >
> >
> > The only way in theory that would work would be to
> > start by a full blown dce implementation, then add a lot of code to
> > intercept and decode all data structures.
> > Then   using the plaintext password (which can not be extracted from
> > the capture) generate completely new authentication tokens
> > remarshalling  the packets etc.
> >
> > It is just impossible to replay DCE sessions.
> >
> >
> >
> > Why do you want to replay DCE sessions?
> > Without knowing the plaintext password of the host whose traffic you
> > want to replay  or the secret keytab file of that host,    any and all
> > replaying of packets would be equivalent to launching a flood ping to
> > the receiving host.
> >
> >
> >
> >
> >
> >
> > On 5/30/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> > >
> > > Hi Ronnie,
> > >
> > > Below mentions what I intend to do...................Regards Deepak
> > >
> > > A key component of the is the Protocol Sequence Replayer (PSR). The job
> of the PSR is to take a
> > > set of recorded traces and create a replay sequence against a machine
> similar to the
> > > destination system in the protocol sequences.
> > >
> > >
> > > The first task requires the ability to decode all protocol fields in the
> various packet types used in the DCE RPC protocol.
> > >
> > > This implies reverse-engineering these fields for protocols that are not
> fully or adequately documented.
> > >
> > > Typically, these are the protocols that are embedded in widely used
> software, such as the
> > >
> > > various versions of the Windows operating system, the various versions
> of the Linux operating system,
> > >
> > > Oracle database software etc.
> > >
> > >
> > >
> > > The second task requires understanding which fields in the protocol are
> Dynamic Session Variables.
> > > A dynamic session variable is a field whose value may change in multiple
> identical runs of
> > > the same protocol sequence. Examples of dynamic session variables
> include the dynamically assigned
> > > TCP port for FTP data channels, session or transaction IDs in RPC or
> database protocols, dynamically
> > > assigned ports in RPC protocols, etc. Once a set of DSVs have been
> identified for a protocol,
> > > the plug-in needs to be able to dynamically substitute these values from
> recorded traces into the
> > > packets that are sent for replay based on the requirements of the
> protocol.
> > >
> > > Regards
> > >
> > > Deepak Bhatia
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From: ethereal-dev-bounces@xxxxxxxxxxxx on behalf of ronnie sahlberg
> > > Sent: Sun 5/29/2005 11:45 AM
> > > To: Ethereal development
> > > Subject: [Ethereal-dev] Re: DCE RPC
> > >
> > >
> > >
> > > What are you planning to do?
> > > Your question seems to indicate you want to build a freestanding
> > > dce/rpc implementation, something that is impossible with the ethereal
> > > code.
> > >
> > > Yes, ethereal does contain dce/rpc code, lots of it.
> > > However, the problemspace ethereal faces is vastly different from a
> > > freestanding dce implementation, thus the dce support in ethereal is
> > > factored to only address the very limited requirements of ethereal.
> > > The ethereal dce implementation is a very reduced functionality
> > > implementation that is focused on ONLY providing unmarshalling of data
> > > and nothing else.
> > > It does this quite well however, but a full implementation of dce
> > > mandates a completely different implementation.
> > >
> > > Full dce and runtime is a major undertaking, I estimate it would take
> > > for someone good and very experienced in dce about 2 man years to
> > > build.
> > > 20+ manyears if the implementors are not very good or not familiar with
> dce.
> > > Compare this with the adapted-to-ethereals-problem-space
> > > implementation of base dce that only took ~6 man months all in all to
> > > write.
> > > including a whole bunch of actual dce interfaces/protocols.
> > >
> > >
> > > Ethereals dce source code can be used to implement a dce dissector for
> > > etheral, no more no less. If you want to do anything beyond building a
> > > dce-interface dissector for ethereal, the source code for dce in
> > > ethereal is of no use for you.
> > >
> > >
> > > please qualify your question:
> > > exactly what do you want do do with the soucecode in ethereal for DCE?
> > > 1,  build a dissector for a dce interface for ethereal? yes that is
> easy.
> > > 2,  build a dce runtime and environment to interact in a dce
> > > environment? no that is impossible.
> > >
> > > Ethereal sourcecode for dce is complete enough for ethereal
> > > unmarshalling-only use and can even handle full pointers properly,
> > > smething which not even MS implementation can do.
> > > But it is factored and limited in such a way that any use beyond that
> > > is impossible.
> > >
> > >
> > > If you want a full freestanding dce implementation   that actually
> > > talks and interacts in a dce environment it is better to start from
> > > scratch.
> > > (yes, Guy mentioned the now released full implementation from
> > > TheOpenGroup but if you look at that code that is designed by committe
> > >   it is still quicker to start from scratch and probably better
> > > quality as well unless your developers have suboptimal experience)
> > > ((my brain is still hurting from looking briefly at the DCE code from
> > > them a few years ago))
> > >
> > >
> > > On 5/29/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> > > > Hi,
> > > >
> > > > I am not able to understand "but only for unmarshalling
> > > > of dce interfaces" ?
> > > >
> > > > Regards
> > > >
> > > > Deepak
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: ethereal-dev-bounces@xxxxxxxxxxxx on behalf of Bhatia, Deepak
> > > > Sent: Fri 5/27/2005 3:57 PM
> > > > To: ronnie sahlberg; Ethereal development
> > > > Subject: RE: [Ethereal-dev] Re: DCE RPC
> > > >
> > > > Hi,
> > > >
> > > > Can we get the protocol parameters ny ummarshelling the dce rpc
> interfaces
> > > > and can do dissection of the protocol ?
> > > >
> > > > Regards
> > > >
> > > > Deepak Bhatia
> > > >
> > > > -----Original Message-----
> > > > From: ethereal-dev-bounces@xxxxxxxxxxxx
> > > > [mailto:ethereal-dev-bounces@xxxxxxxxxxxx]On Behalf Of ronnie
> sahlberg
> > > > Sent: Friday, May 27, 2005 3:55 PM
> > > > To: Ethereal development
> > > > Subject: [Ethereal-dev] Re: DCE RPC
> > > >
> > > >
> > > > yes,
> > > > but only for unmarshalling of dce interfaces.
> > > >
> > > > it can not be used for a freestanding implementation since the
> > > > standard runtime and marshalling has not been implemented and would
> be
> > > > useless bloat for ethereal anyway.
> > > >
> > > >
> > > > On 5/27/05, Bhatia, Deepak <Deepak.Bhatia@xxxxxxxxx> wrote:
> > > > > Hi,
> > > > >
> > > > > Do we have source code available for DCE RPC in ethereal ?
> > > > >
> > > > > Regards
> > > > >
> > > > > Deepak Bhatia
> > > > > Software Consultant
> > > > > Patni Computer Systems Limited
> > > > > A-39/40, Sector 16, Noida, 201301
> > > > > Ph. 91 120 2516 880-3
> > > > > Fax. 91 120 2516 890
> > > > > Mobile. 91 98111 96957
> > > > >
> > > > >
> > > > > http://www.patni.com
> > > > > World-Wide Partnerships. World-Class Solutions.
> > > > >
> _____________________________________________________________________
> > > > >
> > > > > This e-mail message may contain proprietary, confidential or
> legally
> > > > > privileged information for the sole use of the person or entity to
> > > > > whom this message was originally addressed. Any review,
> e-transmission
> > > > > dissemination or other use of or taking of any action in reliance
> upon
> > > > > this information by persons or entities other than the intended
> > > > > recipient is prohibited. If you have received this e-mail in error
> > > > > kindly delete  this e-mail from your records. If it appears that
> this
> > > > > mail has been forwarded to you without proper authority, please
> notify
> > > > > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > > > >
> _____________________________________________________________________
> > > > >
> > > > >
> > > >
> > > > _______________________________________________
> > > > Ethereal-dev mailing list
> > > > Ethereal-dev@xxxxxxxxxxxx
> > > > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> > > >
> > > > http://www.patni.com
> > > > World-Wide Partnerships. World-Class Solutions.
> > > > _____________________________________________________________________
> > > >
> > > > This e-mail message may contain proprietary, confidential or legally
> > > > privileged information for the sole use of the person or entity to
> > > > whom this message was originally addressed. Any review,
> e-transmission
> > > > dissemination or other use of or taking of any action in reliance
> upon
> > > > this information by persons or entities other than the intended
> > > > recipient is prohibited. If you have received this e-mail in error
> > > > kindly delete  this e-mail from your records. If it appears that this
> > > > mail has been forwarded to you without proper authority, please
> notify
> > > > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > > > _____________________________________________________________________
> > > >
> > > >
> > > > http://www.patni.com
> > > > World-Wide Partnerships. World-Class Solutions.
> > > > _____________________________________________________________________
> > > >
> > > > This e-mail message may contain proprietary, confidential or legally
> > > > privileged information for the sole use of the person or entity to
> > > > whom this message was originally addressed. Any review,
> e-transmission
> > > > dissemination or other use of or taking of any action in reliance
> upon
> > > > this information by persons or entities other than the intended
> > > > recipient is prohibited. If you have received this e-mail in error
> > > > kindly delete  this e-mail from your records. If it appears that this
> > > > mail has been forwarded to you without proper authority, please
> notify
> > > > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > > > _____________________________________________________________________
> > > >
> > >
> > > _______________________________________________
> > > Ethereal-dev mailing list
> > > Ethereal-dev@xxxxxxxxxxxx
> > > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> > >
> > >
> > >
> > > http://www.patni.com
> > > World-Wide Partnerships. World-Class Solutions.
> > > _____________________________________________________________________
> > >
> > > This e-mail message may contain proprietary, confidential or legally
> > > privileged information for the sole use of the person or entity to
> > > whom this message was originally addressed. Any review, e-transmission
> > > dissemination or other use of or taking of any action in reliance upon
> > > this information by persons or entities other than the intended
> > > recipient is prohibited. If you have received this e-mail in error
> > > kindly delete  this e-mail from your records. If it appears that this
> > > mail has been forwarded to you without proper authority, please notify
> > > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > > _____________________________________________________________________
> > >
> > >
> >
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> >
> >
> >
> > http://www.patni.com
> > World-Wide Partnerships. World-Class Solutions.
> > _____________________________________________________________________
> >
> > This e-mail message may contain proprietary, confidential or legally
> > privileged information for the sole use of the person or entity to
> > whom this message was originally addressed. Any review, e-transmission
> > dissemination or other use of or taking of any action in reliance upon
> > this information by persons or entities other than the intended
> > recipient is prohibited. If you have received this e-mail in error
> > kindly delete  this e-mail from your records. If it appears that this
> > mail has been forwarded to you without proper authority, please notify
> > us immediately at Netadmin@xxxxxxxxx and delete this mail.
> > _____________________________________________________________________
> >
> >
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
> 
> 
> 
> http://www.patni.com
> World-Wide Partnerships. World-Class Solutions.
> _____________________________________________________________________
> 
> This e-mail message may contain proprietary, confidential or legally
> privileged information for the sole use of the person or entity to
> whom this message was originally addressed. Any review, e-transmission
> dissemination or other use of or taking of any action in reliance upon
> this information by persons or entities other than the intended
> recipient is prohibited. If you have received this e-mail in error
> kindly delete  this e-mail from your records. If it appears that this
> mail has been forwarded to you without proper authority, please notify
> us immediately at Netadmin@xxxxxxxxx and delete this mail.
> _____________________________________________________________________
>