Hi Guys, I'm trying to diagnose some performance issues on my network and I have captured a heap of unknown packets using WireShark. Google didn't reveal much apart from "Wireshark might not know how to decode those packets"
I did the capture on both the source and destination server to rule out corrupted packets. Source server has wireshark 1.10.3 and Destination server has wireshark 1.10.2 and both contain the same thing.
2162 18.498010000 10.2.2.16 10.2.2.3 MAPI 246 Unknown operation 11 request
I see request and response for Operation type 10,11 and 14 The overall network utilisation is quite low so this is probably not a problem. I'm more curious now why WireShark doesn't know how to decode them.
I know the application what is causing the traffic. It synchronises Exchange mailboxes with a SQL Database. The traffic stops when I turn it off.
Any Ideas what is going on?
asked 21 Nov '13, 15:29
The Dog Master
Because nobody's contributed code to decode them; when the MAPI dissector was originally written, I'm not sure Microsoft had published any documents describing the MAPI protocol, so whoever wrote the dissector for it made it handle what they and other people had seen and reverse-engineered.
The [MS-OXCRPC] document shows operation 10 as EcDoConnectEx, operation 11 as EcDoRpcExt2, and operation 14 as EcDoAsyncConnectEx. However, nobody's taken the time to add those to the mapi.idl file in the Wireshark source and rebuild the dissector.
Expecting Wireshark (or any network analyzer) to fully dissect every protocol you see on a network is unrealistic, given that 1) not all protocols are publicly documented and 2) developers' time is limited.
answered 21 Nov '13, 17:02
Guy Harris ♦♦
edited 23 Nov '13, 17:05