Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


RPCSniffer sniffs RPC messages in a given RPC server process.

sniffing example in spoolsv process

General Information

With RPCSniffer you can explore RPC Messages that present on Microsoft system. The data given for each RPC message contains the following details:

  • Type (Async/Sync , Request/Response)
  • Process number
  • Thread number
  • Procedure number
  • Transfer Info
    • GUID
    • RPC minor version
    • RPC major version
  • Interface Info
    • GUID
    • Dispatch table pointer
    • Dispatch table size
    • Dispatch table function pointer
  • Midl Info
    • Dispatch pointer
    • Server function address
  • RPC Flags
  • RPC Data

Install steps

  1. Install python 2.7 (64 bit)

  2. Install the latest Winappdbg python package

  3. Install Wireshark

  4. Intsall the latest Pyreshark python module for wireshark

  5. grab the file "pyreshark_rpc_dissector/" to "c:\Program Files\Wireshark\python\protocols"


  1. Start Wireshark from cmd and prepare it to use rpcsniffer's pipe
	"C:\Program Files\Wireshark\Wireshark.exe" -i \\.\pipe\RPCSniffer
  1. Run python with the server process to listen
    python --help
    usage: [-h] (-p PID | -n PROCNAME) error: one of the arguments -p/--pid -n/--procname is required
  1. go back to wireshark and click "start"
  2. from now you'll get all rpc messages in wireshark


Check the wiki for more info.


This project is a POC for now, but you can help me add some stunning features that will allow us to really understand RPC internals.

  • Dissect the rpc raw data (maybe by using the RPCView decompiler and find a MIDL-dissector?)
  • Integrate it with the wireshark midl-dissector itself
  • Retreive more data from the rpc message (I used REACTOS to parse the RPC MESSAGE). Can you find more usefull data from this windows struct?
  • ALPC sniffing
  • Record all RPC messages for fun and fuzzing

Anyway, I'd be more than happy to receive bug reports, suggestions and anything else.

Some Comments

  • It's very usefull to use the powerful and free tool called RPCView for finding interesting RPC server processes, decompile its interfaces and more. Take a look at


RPCSniffer sniffs WINDOWS RPC messages in a given RPC server process.



No releases published


No packages published