4.17.1. MSRPC network traffic analysis with Ethereal

Ethereal is certainly the best network analyzer to analyze MSRPC traffic. The following features are supported:

The DCE RPC dissector of Ethereal is a heuristic dissector and will try to dissect TCP segments or UDP datagrams as DCE RPC Protocol Data Units. Sometimes, this can lead to incorrect dissections, when the dissector believes that data correspond to DCE RPC traffic when it is not the case. In that case, it is possible to force the dissection with another protocol, using the Decode As feature.

The DCE RPC dissector is able to keep track of the interface bound between a client and a server, to be able to decode appropriately the PDUs. If the network trace does not contain enough information (BIND or similar PDUs), Ethereal will stop the dissection at the DCE RPC level. In that case, it is possible to use the Decode As DCE RPC function to force the dissection as one of the DCE RPC interfaces supported by Ethereal.

For MSRPC over SMB traffic, the SMB dissector calls the DCE RPC dissector for any named pipe different from the LANMAN pipe. This is because the LANMAN pipe is used to carry RAP (Remote Administration Protocol) traffic and not DCE RPC traffic.

Some of the MSRPC dissectors are auto-generated using IDL files and two different IDL compilers, Pidl from the Samba project and idl2eth, part of Ethereal.

The dissectors involved in the dissection of MSRPC traffic handle data reassembly, so that the DCE RPC dissector can reassemble fragmented DCE RPC PDUs. For best results, the following dissector options have to be enabled: