Trace dcerpc conversation

dcerpc

asked 2025-02-18 20:30:42 +0000

I'm trying to trace an rpc conversation with Wireshark and for the most part I get it, but there's one piece I can't seem to figure out. I'm trying to see where the host server's endpoint mapper responds with the dynamic IP the client should use for the given service. I see the IOXIDResolver response, but nowhere do I see a port to be used. The conversation just continues on the correct port.

This is just curiosity in wanting to see where in the response the port is specified, but I cannot identify it anywhere.

edit retag flag offensive close merge delete

Comments

(Disclaimer: not a Windows DCOM guy)

Sample capture attached to 15646: DCOM Dissection of ITypeInfo Interface

Looks like the port number is returned by ISystemActivator protocol.
See MS: 3.2.4.1.1.2 Issuing the Activation Request

Chuckc ( 2025-02-18 22:09:56 +0000 )edit

add a comment

Trace dcerpc conversation

Comments

Be the first one to answer this question!

Question Tools

Stats

Related questions

Trace dcerpc conversation edit

Comments

Be the first one to answer this question!

Question Tools

Stats

Related questions

Trace dcerpc conversation