Wireshark-users: Re: [Wireshark-users] Is this normal?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 31 Mar 2009 11:03:45 -0700

On Mar 31, 2009, at 9:59 AM, Peter Hartmann wrote:

Hi, I've noticed quite a bit of broadcast traffic like this and am
wondering if this is normal in an MS domain.  What do you think?


3	0.265561	10.3.85.104	255.255.255.255	DCERPC	Request: seq: 0 opnum:
18264 len: 12599 00000000-0a03-5568-0011-43c586f40000 V0
9	1.469157	10.3.85.116	255.255.255.255	DCERPC	Request: seq: 0 opnum:
18264 len: 12593 00000000-0a03-5574-0012-3f84a4620000 V0
6	1.325521	10.3.85.62	255.255.255.255	DCERPC	Request: seq: 0 opnum:
18264 len: 0 00000000-0a03-553e-00b0-d060db100000 V0
7	1.386135	10.3.85.127	255.255.255.255	DCERPC	Request: seq: 0 opnum:
18264 len: 12598 00000000-0a03-557f-0011-43c2f31b0000 V0

That might be traffic that's not DCE RPC traffic but that Wireshark's heuristic identifies as DCE RPC traffic. (There is no perfect heuristic to determine whether something is DCE RPC traffic or not.)

Try disabling the DCERPC dissector, and see what Wireshark thinks the traffic is.