Priscilla, thanks for the quick reply :) yes, so far all 3 sniffers havent revealed much [ethereal, sniffer, & my fav: etherpeek-nx]
all show the decodes for RPC, but this is a Win2k box talking MS-RPC [port 135, initially] somehow, someway an upper port is getting assigned [4541 for example] from the server anywho, I'm t/s the win2k-box talking to vpn clients [also Wintel] and there seem to be a large number of tcp-rst happening on the higher ports upon initial connection ::: syn, rst, syn, rst I don't think it's black-hat activity as it was the users complaining...so I'm just trying to make sure the client is communicating "back" on the proper port the server assigned...but I cant seem to nail down where the port is in the payload... I do see the server send to the client the server's IP adder, but in "character format" [which to me is crazy] so the server sends "31 00 30 00 2e 00 31 00 30 00 2e 00 31 00 30 00 2e 00 33 00 36 00" for "10.10.10.36" 31 being the hex equiv of the ascii char "1" 00 being the buffer space, 30 being the "0" and 2e being the "." of the "10." man, gives new respect to the folks who do reverse eng. :) I'll keep hacking at it... but I'm still hoping for a URL :) TroyC -----Original Message----- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 3:10 PM To: [EMAIL PROTECTED] Subject: RE: RPC Endpoint Mapper [7:63916] In the olden days, in a Unix world, RPC required PortMappter. Maybe you could look that up? Not sure if there's a space, i.e. Port Mapper. I don't think there is. It's a separate protocol for assigning port numbers. You should see evidence of it on your Sniffer if it still exists. What operating system are you talking about? Windows does RPC too but I don't know it very well. Priscilla COULOMBE, TROY wrote: > > Anyone know of a good resource on RPC endpoint mapper? I > trying to find > where in the packet the server tells the client which [new] > port to come > back on. Using a sniffer, but I cant seem to nail down where > in the payload > the "future" port is passed to the client. > > a google search of "rpc endpoint mapper sniffer" has resulted > in a lot of > conversations about how RPC works, but not at the packet level > :( > > don't mind RTFMing...but so far I can't find a good URL > > at least the FTP protocol "states" which port :) > > Thanks, > TroyC Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63930&t=63916 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
