Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Port 135 is for the DCE RPC Endpoint Mapper. If Wireshark isn't showing that as DCE RPC, either 1) it's being used for some other purpose or 2) Wireshark's heuristics for detecting DCE RPC traffic aren't working.

MS-RPC is Microsoft's version of DCE RPC; it can use NTLM for authentication, as can a number of other protocols, such as SMB. "NTLM" and "NTLMSSP" aren't, themselves, protocols running directly over TCP, in the sense that you can say "decode this TCP traffic as NTLM" or "decode this TCP traffic as NTLMSSP"; instead, NTLM provides a mechanism for several different protocols to use for authentication, and NTLMSSP runs atop protocols using it for authentication, not atop low-level transport protocols such as TCP.