Ethereal-users: Re: [Ethereal-users] How to analyze the transactions of RPC services that are lo

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>
Date: Fri, 21 Mar 2003 06:51:19 +1100
Please also note that in Ethereal, the ONC-RPC dissector is a heuristic
dissector,
this means that it will ONLY consider a packet being ONC-RPC (and decode it
as such) if
it recognizes hte PDU as looking like what it expects ONC-RPC to look like.

One caveat with this is one such thing it looks for when deciding whether
something is
ONC-RPC or not is the offset where RPC Program number is stored.
Ethereal will ONLY decode something as ONC-RPC if it can recognize and knows
about the program number.

Since you mention "different components of our software" this may mean that
you use a proprietary application protocol with a private program number
that ethereal does not know about.
This in that case ethereal will not display these packets as even being RPC,
it will just display them
as being UDP.  (unless it can see the portmapper call)
Even if the actual application protocol is not available you can still add
the functionality to
ethereal to decode the ONC-RPC layer itself and tag the packets with a
protocol name,
even if it will not decode the application protocol itself.

This is VERY easy to do if you are willing to compile the source code
yourself:
Copy and modify   packet-clearcase.c   to use the proper program number and
replace the name
with your protocol name.
Update the makefiles to compile and link with packet-<yournewprotocol>.c


If you want to decode the actual application PDUs as well, this is also not
too complicated.
See some of the smaller ONC-RPC application protocol decoders for examples
on how to decode ONC-RPC based application protocols.   Example,  NLM,
MOUNT, YP*,




From: Kailasanathan_Ram
Sent: Friday, March 21, 2003 6:25 AM
Subject: [Ethereal-users] How to analyze the transactions of RPC services
that are located in the same box


> Hi all,
>
> I am trying to analyze the traffic between different components of our
> software that are located on the same box( analyzing the
> traffic within the same box source and dest ip addresses are the same).
>  We use RPC protocol for communication. What filter should I spcecify to
see
> the traffic happening within the same box(same ip addresses
> or same host.)
>  Since we use UDP as the transport level protocol, I have tried "not tcp"
as
> filter. This shows all the relevant traffic between different hosts
> but it doesn't show me the traffic within the same box. IS it possible to
> analyze the traffic happening within the same box where
> the source and destination IP addresses are the same using Ethereal.
>
> Thanks,
> Ram
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users