This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I've got an application that requires me to attach a script to an existing RPCAP daemon. So I'm working on reverse engineering the RPCAP protocol. Wireshark does a fantastic job of decoding the basic authentication, open request, and filter request packets. But I'm having trouble with the actual data packets. I can parse the rpcap_header and rpcap_pkthdr. But I'm confused as to what comes next. That is, there is some unstructured (to me, anyway) bytes between the rpcap_pkthdr and the raw payload at the end of the packet.

Any ideas how to parse this?

Thanks!

Norman

asked 09 Aug '13, 13:46

normelton's gravatar image

normelton
1111
accept rate: 0%


So I'm working on reverse engineering the RPCAP protocol.

wouldn't it be easier to look at the code of rpcapd (part of WinPcap) instead of reverse engineering the protocol?

http://www.winpcap.org/install/bin/WpcapSrc_4_1_3.zip

Regards
Kurt

permanent link

answered 09 Aug '13, 14:34

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×17

question asked: 09 Aug '13, 13:46

question was seen: 2,102 times

last updated: 09 Aug '13, 14:34

p​o​w​e​r​e​d by O​S​Q​A