This is our old Q&A Site. Please post any new questions and answers at


I've got an application that requires me to attach a script to an existing RPCAP daemon. So I'm working on reverse engineering the RPCAP protocol. Wireshark does a fantastic job of decoding the basic authentication, open request, and filter request packets. But I'm having trouble with the actual data packets. I can parse the rpcap_header and rpcap_pkthdr. But I'm confused as to what comes next. That is, there is some unstructured (to me, anyway) bytes between the rpcap_pkthdr and the raw payload at the end of the packet.

Any ideas how to parse this?



asked 09 Aug '13, 13:46

normelton's gravatar image

accept rate: 0%

So I'm working on reverse engineering the RPCAP protocol.

wouldn't it be easier to look at the code of rpcapd (part of WinPcap) instead of reverse engineering the protocol?


permanent link

answered 09 Aug '13, 14:34

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 09 Aug '13, 13:46

question was seen: 2,171 times

last updated: 09 Aug '13, 14:34

p​o​w​e​r​e​d by O​S​Q​A