New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dce_rpc_request lacks useful data #257

hosom opened this Issue Jan 28, 2019 · 2 comments


None yet
2 participants
Copy link

hosom commented Jan 28, 2019

It looks like the operation and endpoint are not assigned to the rpc operation until the response. I'm not certain if I'm missing a subtlety here, but would it make more sense to add these fields to the record on the request?


This comment has been minimized.

Copy link

jsiwek commented Jan 29, 2019

It's been a while since I looked at the protocol and don't know it well to any significant depth, but going from memory and my skim just now, it seems like we don't have the info with just a dce_rpc_request event -- i.e. the endpoint binding is independent of the request, so you can see we get a uuid in either dce_rpc_bind or dce_rpc_alter_context events and map it to an endpoint at that time. A subsequent dce_rpc_request will have that information (unless maybe we missed the packets containing the binding info or else the client never actually sent it).

Please feel free to dig a bit to see if an improvement is possible, else close the issue if that explanation is accurate.


This comment has been minimized.

Copy link
Contributor Author

hosom commented Jan 29, 2019

I'll dig into this with some test captures using dump events and see what I can come up with.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment