This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Reverse Engineering RPCAP

0

Hello,

I've got an application that requires me to attach a script to an existing RPCAP daemon. So I'm working on reverse engineering the RPCAP protocol. Wireshark does a fantastic job of decoding the basic authentication, open request, and filter request packets. But I'm having trouble with the actual data packets. I can parse the rpcap_header and rpcap_pkthdr. But I'm confused as to what comes next. That is, there is some unstructured (to me, anyway) bytes between the rpcap_pkthdr and the raw payload at the end of the packet.

Any ideas how to parse this?

Thanks!

Norman

asked 09 Aug '13, 13:46

normelton's gravatar image

normelton
1111
accept rate: 0%


One Answer:

1

So I'm working on reverse engineering the RPCAP protocol.

wouldn't it be easier to look at the code of rpcapd (part of WinPcap) instead of reverse engineering the protocol?

http://www.winpcap.org/install/bin/WpcapSrc_4_1_3.zip

Regards
Kurt

answered 09 Aug '13, 14:34

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%