This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MAPI Unknown Operation 10 & 11 Request / Response

0

Hi Guys, I'm trying to diagnose some performance issues on my network and I have captured a heap of unknown packets using WireShark. Google didn't reveal much apart from "Wireshark might not know how to decode those packets"

I did the capture on both the source and destination server to rule out corrupted packets. Source server has wireshark 1.10.3 and Destination server has wireshark 1.10.2 and both contain the same thing.

2162 18.498010000 10.2.2.16 10.2.2.3 MAPI 246 Unknown operation 11 request

I see request and response for Operation type 10,11 and 14 The overall network utilisation is quite low so this is probably not a problem. I'm more curious now why WireShark doesn't know how to decode them.

I know the application what is causing the traffic. It synchronises Exchange mailboxes with a SQL Database. The traffic stops when I turn it off.

Any Ideas what is going on?

Thanks David

asked 21 Nov '13, 15:29

The%20Dog%20Master's gravatar image

The Dog Master
16113
accept rate: 0%

One Answer:

0

I'm more curious now why WireShark doesn't know how to decode them.

Because nobody's contributed code to decode them; when the MAPI dissector was originally written, I'm not sure Microsoft had published any documents describing the MAPI protocol, so whoever wrote the dissector for it made it handle what they and other people had seen and reverse-engineered.

The [MS-OXCRPC] document shows operation 10 as EcDoConnectEx, operation 11 as EcDoRpcExt2, and operation 14 as EcDoAsyncConnectEx. However, nobody's taken the time to add those to the mapi.idl file in the Wireshark source and rebuild the dissector.

Expecting Wireshark (or any network analyzer) to fully dissect every protocol you see on a network is unrealistic, given that 1) not all protocols are publicly documented and 2) developers' time is limited.

answered 21 Nov '13, 17:02

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 23 Nov '13, 17:05

Hi Guy, That explains it and that was my hunch. Maybe someone will pick that job up one day. I did a quick search for MAPI documentation and as with all Microsoft products if it isn't Marketing Material it is all over the place. Thanks for the Answer. David

(21 Nov '13, 20:50) The Dog Master

I've updated the answer to refer to the Microsoft documentation on the over-the-wire MAPI protocol.

(23 Nov '13, 17:05) Guy Harris ♦♦