I'm trying to understand how a PC application (which is unsupported and undocumented) talks to a device. The trace seems to consist mostly of DCERPC packets and TCP packets marked "TCP segment of a reassembled PDU". What I expect to be happening here is either the download of a lot of records from a database to the device, or some sort of synchronisation of a database in the device with the master database on the PC. The database is probably using Clarion/Topspeed. Can someone give me an overview on what's going on here, and how I can set about analysing it? Eventually I have to write a new program that can communicate to the device in the same way. Thanks - Rowan asked 07 Dec '12, 15:48  Rowan |
One Answer:
What's going on is probably either that the PC application is using DCE/RPC, or Microsoft's extended version of DCE/RPC, to communicate with the device, or some other programs are communicating using DCE/RPC or MSRPC and some of the traffic that's not DCE/RPC and not "TCP segment of a reassembled PDU" TCP segments that end up getting reassembled into DCE/RPC traffic is the traffic between the PC application and the device. Apparently Topspeed's Clarion "reads and writes several flat file desktop database formats including ASCII, CSV, DOS (Binary), FoxPro, Clipper, dBase, or all SQL RDBMS databases via ODBC, MS SQL Server, Sybase SQL Anywhere and Oracle through the use of accelerated native database drivers". Perhaps some of those access methods run over the networking using DCE/RPC (SQL Server/Sybase SQL Anywhere don't - they use TDS, which Wireshark also dissects - and Oracle doesn't - it uses some other protocol that Wireshark dissects). Sadly, DCE/RPC isn't necessarily going to be easy to reverse-engineer - and you may then have to reverse-engineer the database schema as well. answered 07 Dec '12, 20:01  Guy Harris ♦♦ |
