Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2020-01-22 18:16:32 +0000

h1ghchilled gravatar image

DCE/RPC Remote Procedure Call

Hey there,

I need some help of somebody who knows what's going on here. I researched a lot about DCE/RPC but there is not very much detailed information available on the web. Maybe somebody here can give me some information on the following capture:

(no need to get too deep into details, but if you like to you're welcome :)

No.     Time           Source                Destination           Protocol Length Info
     42 1495.384770518 *censored*        192.168.123.118       DCERPC   199    Ping: seq: 2274746402

    Frame 42: 199 bytes on wire (1592 bits), 199 bytes captured (1592 bits) on interface 0
    Linux cooked capture
    Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
    User Datagram Protocol, Src Port: 27015, Dst Port: 27005
    Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Ping, Seq: 2274746402, Serial: 32836, Frag: 11049, FragLen: 4152

    No.     Time           Source                Destination           Protocol Length Info
         43 1500.652624583 *censored*        192.168.123.118       DCERPC   213    Fault: seq: 2256318484: status: Unknown (0x05f6b8ce)

    Frame 43: 213 bytes on wire (1704 bits), 213 bytes captured (1704 bits) on interface 0
    Linux cooked capture
    Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
    User Datagram Protocol, Src Port: 27015, Dst Port: 27005
    Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Fault, Seq: 2256318484, Serial: 4, Frag: 7608, FragLen: 13051

No.     Time           Source                Destination           Protocol Length Info
     44 1505.945566549 *censored*        192.168.123.118       DCERPC   295    Nocall: seq: 75521284

Frame 44: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Nocall, Seq: 75521284, Serial: 32900, Frag: 38104, FragLen: 260

No.     Time           Source                Destination           Protocol Length Info
     45 1508.605860849 *censored*        192.168.123.118       DCERPC   273    Reject: seq: 997494462: status: Unknown (0x52ee2260)

Frame 45: 273 bytes on wire (2184 bits), 273 bytes captured (2184 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Reject, Seq: 997494462, Serial: 32836, Frag: 24606, FragLen: 42051

No.     Time           Source                Destination           Protocol Length Info
     46 1511.268238242 *censored*        192.168.123.118       DCERPC   285    Ack: seq: 1399001244

Frame 46: 285 bytes on wire (2280 bits), 285 bytes captured (2280 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Ack, Seq: 1399001244, Serial: 32879, Frag: 7880, FragLen: 51480

No.     Time           Source                Destination           Protocol Length Info
     47 1513.929900575 *censored*        192.168.123.118       DCERPC   302    Cl_cancel: seq: 3752523524

Frame 47: 302 bytes on wire (2416 bits), 302 bytes captured (2416 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Cl_cancel, Seq: 3752523524, Serial: 32816, Frag: 56865, FragLen: 2304

No.     Time           Source                Destination           Protocol Length Info
     48 1516.599352797 *censored*        192.168.123.118       DCERPC   258    Fack: seq: 2159762026

Frame 48: 258 bytes on wire (2064 bits), 258 bytes captured (2064 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Fack, Seq: 2159762026, Serial: 32786, Frag: 8221, FragLen: 33056

No.     Time           Source                Destination           Protocol Length Info
     49 1519.249929433 *censored*        192.168.123.118       DCERPC   230    Cancel_ack: seq: 1448369408

Frame 49: 230 bytes on wire (1840 bits), 230 bytes captured (1840 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Cancel_ack, Seq: 1448369408, Serial: 32902, Frag: 32292, FragLen: 704

No.     Time           Source                Destination           Protocol Length Info
     50 1521.901096246 *censored*        192.168.123.118       DCERPC   235    Bind: seq: 791498048

Frame 50: 235 bytes on wire (1880 bits), 235 bytes captured (1880 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Seq: 791498048, Serial: 32843, Frag: 22, FragLen: 18686

No.     Time           Source                Destination           Protocol Length Info
     51 1524.542622066 *censored*        192.168.123.118       DCERPC   190    Bind_ack: seq: 1885326066

Frame 51: 190 bytes on wire (1520 bits), 190 bytes captured (1520 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind_ack, Seq: 1885326066, Serial: 92, Frag: 49065, FragLen: 36736

No.     Time           Source                Destination           Protocol Length Info
     52 1527.185958363 *censored*        192.168.123.118       DCERPC   161    Bind_nak: seq: 1612602236

Frame 52: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind_nak, Seq: 1612602236, Serial: 251, Frag: 57382, FragLen: 1030

No.     Time           Source                Destination           Protocol Length Info
     53 1529.820883059 *censored*        192.168.123.118       DCERPC   195    Alter_context: seq: 1683367025

Frame 53: 195 bytes on wire (1560 bits), 195 bytes captured (1560 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Alter_context, Seq: 1683367025, Serial: 101, Frag: 50943, FragLen: 516

No.     Time           Source                Destination           Protocol Length Info
     54 1532.484068664 *censored*        192.168.123.118       DCERPC   180    Alter_context_resp: seq: 70799364

Frame 54: 180 bytes on wire (1440 bits), 180 bytes captured (1440 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Alter_context_resp, Seq: 70799364, Serial: 208, Frag: 63417, FragLen: 62449

No.     Time           Source                Destination           Protocol Length Info
     55 1535.189980045 *censored*        192.168.123.118       DCERPC   191    AUTH3: seq: 91256838

Frame 55: 191 bytes on wire (1528 bits), 191 bytes captured (1528 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) AUTH3, Seq: 91256838, Serial: 32911, Frag: 45082, FragLen: 64367

No.     Time           Source                Destination           Protocol Length Info
     56 1537.860512334 *censored*        192.168.123.118       DCERPC   324    Shutdown: seq: 72897532

Frame 56: 324 bytes on wire (2592 bits), 324 bytes captured (2592 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Shutdown, Seq: 72897532, Serial: 171, Frag: 28979, FragLen: 56204

No.     Time           Source                Destination           Protocol Length Info
     57 1540.531704563 *censored*        192.168.123.118       DCERPC   216    Co_cancel: seq: 3835373377

Frame 57: 216 bytes on wire (1728 bits), 216 bytes captured (1728 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Co_cancel, Seq: 3835373377, Serial: 32898, Frag: 6708, FragLen: 61478

No.     Time           Source                Destination           Protocol Length Info
     58 1543.175150154 *censored*        192.168.123.118       DCERPC   295    Orphaned: seq: 2155392515

Frame 58: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Orphaned, Seq: 2155392515, Serial: 32838, Frag: 5505, FragLen: 49186*

DCE/RPC Remote Procedure Call

Hey there,

I need some help of somebody who knows what's going on here. I researched a lot about DCE/RPC but there is not very much detailed information available on the web. Maybe somebody here can give me some information on the following capture:

(no need to get too deep into details, but if you like to you're welcome :)

*screenshot added:

image description

No.     Time           Source                Destination           Protocol Length Info
     42 1495.384770518 *censored*        192.168.123.118       DCERPC   199    Ping: seq: 2274746402

    Frame 42: 199 bytes on wire (1592 bits), 199 bytes captured (1592 bits) on interface 0
    Linux cooked capture
    Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
    User Datagram Protocol, Src Port: 27015, Dst Port: 27005
    Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Ping, Seq: 2274746402, Serial: 32836, Frag: 11049, FragLen: 4152

    No.     Time           Source                Destination           Protocol Length Info
         43 1500.652624583 *censored*        192.168.123.118       DCERPC   213    Fault: seq: 2256318484: status: Unknown (0x05f6b8ce)

    Frame 43: 213 bytes on wire (1704 bits), 213 bytes captured (1704 bits) on interface 0
    Linux cooked capture
    Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
    User Datagram Protocol, Src Port: 27015, Dst Port: 27005
    Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Fault, Seq: 2256318484, Serial: 4, Frag: 7608, FragLen: 13051

No.     Time           Source                Destination           Protocol Length Info
     44 1505.945566549 *censored*        192.168.123.118       DCERPC   295    Nocall: seq: 75521284

Frame 44: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Nocall, Seq: 75521284, Serial: 32900, Frag: 38104, FragLen: 260

No.     Time           Source                Destination           Protocol Length Info
     45 1508.605860849 *censored*        192.168.123.118       DCERPC   273    Reject: seq: 997494462: status: Unknown (0x52ee2260)

Frame 45: 273 bytes on wire (2184 bits), 273 bytes captured (2184 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Reject, Seq: 997494462, Serial: 32836, Frag: 24606, FragLen: 42051

No.     Time           Source                Destination           Protocol Length Info
     46 1511.268238242 *censored*        192.168.123.118       DCERPC   285    Ack: seq: 1399001244

Frame 46: 285 bytes on wire (2280 bits), 285 bytes captured (2280 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Ack, Seq: 1399001244, Serial: 32879, Frag: 7880, FragLen: 51480

No.     Time           Source                Destination           Protocol Length Info
     47 1513.929900575 *censored*        192.168.123.118       DCERPC   302    Cl_cancel: seq: 3752523524

Frame 47: 302 bytes on wire (2416 bits), 302 bytes captured (2416 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Cl_cancel, Seq: 3752523524, Serial: 32816, Frag: 56865, FragLen: 2304

No.     Time           Source                Destination           Protocol Length Info
     48 1516.599352797 *censored*        192.168.123.118       DCERPC   258    Fack: seq: 2159762026

Frame 48: 258 bytes on wire (2064 bits), 258 bytes captured (2064 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Fack, Seq: 2159762026, Serial: 32786, Frag: 8221, FragLen: 33056

No.     Time           Source                Destination           Protocol Length Info
     49 1519.249929433 *censored*        192.168.123.118       DCERPC   230    Cancel_ack: seq: 1448369408

Frame 49: 230 bytes on wire (1840 bits), 230 bytes captured (1840 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Cancel_ack, Seq: 1448369408, Serial: 32902, Frag: 32292, FragLen: 704

No.     Time           Source                Destination           Protocol Length Info
     50 1521.901096246 *censored*        192.168.123.118       DCERPC   235    Bind: seq: 791498048

Frame 50: 235 bytes on wire (1880 bits), 235 bytes captured (1880 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Seq: 791498048, Serial: 32843, Frag: 22, FragLen: 18686

No.     Time           Source                Destination           Protocol Length Info
     51 1524.542622066 *censored*        192.168.123.118       DCERPC   190    Bind_ack: seq: 1885326066

Frame 51: 190 bytes on wire (1520 bits), 190 bytes captured (1520 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind_ack, Seq: 1885326066, Serial: 92, Frag: 49065, FragLen: 36736

No.     Time           Source                Destination           Protocol Length Info
     52 1527.185958363 *censored*        192.168.123.118       DCERPC   161    Bind_nak: seq: 1612602236

Frame 52: 161 bytes on wire (1288 bits), 161 bytes captured (1288 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind_nak, Seq: 1612602236, Serial: 251, Frag: 57382, FragLen: 1030

No.     Time           Source                Destination           Protocol Length Info
     53 1529.820883059 *censored*        192.168.123.118       DCERPC   195    Alter_context: seq: 1683367025

Frame 53: 195 bytes on wire (1560 bits), 195 bytes captured (1560 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Alter_context, Seq: 1683367025, Serial: 101, Frag: 50943, FragLen: 516

No.     Time           Source                Destination           Protocol Length Info
     54 1532.484068664 *censored*        192.168.123.118       DCERPC   180    Alter_context_resp: seq: 70799364

Frame 54: 180 bytes on wire (1440 bits), 180 bytes captured (1440 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Alter_context_resp, Seq: 70799364, Serial: 208, Frag: 63417, FragLen: 62449

No.     Time           Source                Destination           Protocol Length Info
     55 1535.189980045 *censored*        192.168.123.118       DCERPC   191    AUTH3: seq: 91256838

Frame 55: 191 bytes on wire (1528 bits), 191 bytes captured (1528 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) AUTH3, Seq: 91256838, Serial: 32911, Frag: 45082, FragLen: 64367

No.     Time           Source                Destination           Protocol Length Info
     56 1537.860512334 *censored*        192.168.123.118       DCERPC   324    Shutdown: seq: 72897532

Frame 56: 324 bytes on wire (2592 bits), 324 bytes captured (2592 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Shutdown, Seq: 72897532, Serial: 171, Frag: 28979, FragLen: 56204

No.     Time           Source                Destination           Protocol Length Info
     57 1540.531704563 *censored*        192.168.123.118       DCERPC   216    Co_cancel: seq: 3835373377

Frame 57: 216 bytes on wire (1728 bits), 216 bytes captured (1728 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Co_cancel, Seq: 3835373377, Serial: 32898, Frag: 6708, FragLen: 61478

No.     Time           Source                Destination           Protocol Length Info
     58 1543.175150154 *censored*        192.168.123.118       DCERPC   295    Orphaned: seq: 2155392515

Frame 58: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on interface 0
Linux cooked capture
Internet Protocol Version 4, Src: *censored*, Dst: 192.168.123.118
User Datagram Protocol, Src Port: 27015, Dst Port: 27005
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Orphaned, Seq: 2155392515, Serial: 32838, Frag: 5505, FragLen: 49186*
49186
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2