On Tue, Jul 31, 2001 at 04:35:17AM +0000, Eric P Liedtke wrote:
> It's obvious without seeing the inital portmapper
> requests back and forth the decoder won't know for sure it's looking at an
> RPC packet
Ethereal doesn't remember what it sees in portmapper replies.
Instead, it identifies ONC RPC messages by looking at the contents of
the packet, checking
a 4-byte type value of 0 (call) or 1 (reply) at the offset where
that should appear;
a 4-byte value of 2 following it (the current version of the ONC
RPC protocol);
in a call, a program number that's one of the ones Ethereal
knows about, and in a reply, a transaction ID that matches a
call Ethereal has seen earlier.
This means that if the packet is an ONC RPC call for a protocol for
which Ethereal *doesn't* have a dissector, it won't recognize it as an
ONC RPC call. (Yes, I know, snoop recognizes those; I don't know
whether it uses a check solely for the call/reply type value and a
version number of 2, which seems a bit too likely to misidentify packets
as ONC RPC packets, or uses some fancier check.)
I.e., Ethereal isn't a good tool for dissecting ONC RPC; it's a tool for
dissecting some of the protocols that run *atop* ONC RPC, e.g. NFS, NIS,
NIS+, portmapper/rpcbind, NLM, mount, etc.