Hello, I've got an application that requires me to attach a script to an existing RPCAP daemon. So I'm working on reverse engineering the RPCAP protocol. Wireshark does a fantastic job of decoding the basic authentication, open request, and filter request packets. But I'm having trouble with the actual data packets. I can parse the rpcap_header and rpcap_pkthdr. But I'm confused as to what comes next. That is, there is some unstructured (to me, anyway) bytes between the rpcap_pkthdr and the raw payload at the end of the packet. Any ideas how to parse this? Thanks! Norman asked 09 Aug '13, 13:46  normelton |
One Answer:
wouldn't it be easier to look at the code of rpcapd (part of WinPcap) instead of reverse engineering the protocol? Regards answered 09 Aug '13, 14:34  Kurt Knochner ♦ |
