Wireshark-users: [Wireshark-users] DCERPC - TCP Retransmission Problem

From: "Anthony Schnabel" <aschnabel@xxxxxxxxxxxxxxxx>
Date: Fri, 7 Dec 2007 11:43:50 -0700

I just started using Wireshark because of a network problem I have been having problems tracking down. Several times during the day, our switches became “pegged” and no computer was able to access network resources, or get online.

 

I installed wireshark on our domain controller and noticed there was 1 computer that has thousands of “DCERPC [TCP Retransmission] Request: call_id 442527 opnum: 69 ctx_idx:” packets, in a short amount of time, and little more than DNS/ARP/BROWSER transmissions from any other computer on the network.

 

I picked up this laptop and found nothing out of the ordinary, hardware or software wise. We are running network based Antivirus and that found nothing as well.

 

Being new to Wireshark, and analyzing packets in general, I was hoping someone could give me a basis on where to start with this. Are these DCERPC transmissions causing my network outage or do I need to start looking elsewhere?

 

A little background on the network: We are a small Catholic school of less than 400 students, all with mobile laptops. Fiber runs through the backbone, wireless access points throughout the school, several servers all running some version of Windows.

 

 Thanks for the help.

 

Tony.