This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

decode RPC net_logon

0

Hello, I work in a shop that uses wireshark to support a product, and we use the RPC Net_logon decode function frequently to tell if the domain controller is responding as expected. As of 1.12 this function seems to have disappeared. It is not vital for us to update to 1.12, but it would be nice to know where this useful function went.

asked 05 Aug '14, 11:24

jmadsen's gravatar image

jmadsen
16114
accept rate: 0%

and we use the RPC Net_logon decode function frequently to tell

could you please add more details? Is that a function in the wireshark source code, or a display filter (if so, which one), or something totally different?

(10 Aug '14, 08:24) Kurt Knochner ♦

Not sure if it is a function of the source code, but there used to be a way to use "decode as" to specify how you wanted RPC calls to be examined and interpreted that seems to be missing now. It may have been we were one of the few places that needed to examine RPC in detail, but it is a rather important function for us so we will be holding off on updating until we find out what happened to this function.

(11 Aug '14, 06:34) jmadsen

can you provide a small sample capture file that works in 1.10.9 and does not work in 1.12.0? You can publish the capture file on google drive, dropbox or cloudshark.org and then post the link here.

(11 Aug '14, 06:46) Kurt Knochner ♦

I don't think a capture would illustrate my point, so I took screen shots of both and uploaded them to better explain what I am talking about. link to screen shot of 10 with the function: http://imgur.com/NTmDQFJ,pWHGofK#0 link to screen shot of 12 without function: http://imgur.com/NTmDQFJ,pWHGofK#1 hope that helps

(12 Aug '14, 11:45) jmadsen

One Answer:

1

There was a massive change to the "decode as" functionality.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9450

Looks like the new way of "decode as" does not work properly for DCE-RPC. Please submit a notice to that bug and add as much information as possible (screenshots, link to this question, etc.)

Regards
Kurt

answered 12 Aug '14, 20:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

From the comments on the bug:

5. BER and DCERPC have more opportunity to use Decode As now that they are selected based on dissector presense, not packet_info values.

To get this investigated I'm almost certain the OP will have to provide a capture illustrating the issue. If the capture has sensitive information then it can be marked "private" such that only the core developers have access to it.

See the Reporting Bugs wiki page

(13 Aug '14, 03:53) grahamb ♦
1

The effect is also 'visible' with anyone of the following DCE-RPC capture files.

http://wiki.wireshark.org/SampleCaptures#DCE.2FRPC_and_MSRPC-based_protocols

If you select one of the DCERPC frames, and choose "Decode as", the DCE-RPC tab is missing in 1.12.x, as shown in the screenshots of the OP.

(13 Aug '14, 05:36) Kurt Knochner ♦

Now in Bugzilla as bug 10368.

(13 Aug '14, 07:54) grahamb ♦