Ethereal-users: Re: [Ethereal-users] RPC Question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 30 Jul 2001 22:27:29 -0700
On Tue, Jul 31, 2001 at 04:35:17AM +0000, Eric P Liedtke wrote:
> It's obvious without seeing the inital portmapper
> requests back and forth the decoder won't know for sure it's looking at an
> RPC packet

Ethereal doesn't remember what it sees in portmapper replies.

Instead, it identifies ONC RPC messages by looking at the contents of
the packet, checking

	a 4-byte type value of 0 (call) or 1 (reply) at the offset where
	that should appear;

	a 4-byte value of 2 following it (the current version of the ONC
	RPC protocol);

	in a call, a program number that's one of the ones Ethereal
	knows about, and in a reply, a transaction ID that matches a
	call Ethereal has seen earlier.

This means that if the packet is an ONC RPC call for a protocol for
which Ethereal *doesn't* have a dissector, it won't recognize it as an
ONC RPC call.  (Yes, I know, snoop recognizes those; I don't know
whether it uses a check solely for the call/reply type value and a
version number of 2, which seems a bit too likely to misidentify packets
as ONC RPC packets, or uses some fancier check.)

I.e., Ethereal isn't a good tool for dissecting ONC RPC; it's a tool for
dissecting some of the protocols that run *atop* ONC RPC, e.g. NFS, NIS,
NIS+, portmapper/rpcbind, NLM, mount, etc.