Tim Potter <[EMAIL PROTECTED]> writes:
> SPOOLSS and WINREG dissectors. I would also like to rename the
> packet-dcerpc-nt.{c,h} files to packet-dcerpc-smb.{c,h} as it's a more
> appropriate name.
Actually, it's not. I.e., SMB is less accurate than NT, at least for
the NDR/DCERPC part of things. You typically see samr, lsarpc,
netlogon, and the rest done over SMB (the ncacn_np protocol sequence),
but they really have nothing to do with SMB, per se. E.g., I sent
Ronnie and Guy a trace of SAMR traffic going over UDP---no SMB at all.
In some non-default cases, you can even do SAMR traffic over port 80.
MS calls it ncacn_http, but it's really nothing more than ncacn_ip_tcp
proxied by IIS. See
http://razor.bindview.com/tools/desc/rpctools1.0-readme.html
You can also do things like SAMR traffic over the \lsarpc pipe (and
vice versa), and a number of other things that MS's clients don't
typically do.
Todd
