?
Solved

What does this packet capture between PC and Exchange server mean?

Posted on 2005-03-24
3
Medium Priority
?
562 Views
Last Modified: 2013-12-23
Recently while using ethereal we came across this conversation between a user PC with XP and our Exchange server.  I am looking to understand what the conversation is about.  This is only a sampling of 100 lines in the order they occurred.  I would like to hear from someone who is knowledgeable in these matters and not just guessing what might be going on.  This capture took place when the user was not using their PC.  Feel free to request more information.

Source          Destination      Protocol Info
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190688 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190688 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190688 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190688 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190689 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190689 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190689 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190689 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190690 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190690 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190690 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190690 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190691 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190691 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190691 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937973971 Ack=1945378387 Win=8488 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937975431 Ack=1945378387 Win=8488 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937976891 Ack=1945378387 Win=8488 Len=1460
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190691 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937979811 Ack=1945378387 Win=8488 Len=124
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190691 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937973971 Ack=1945378387 Win=8488 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937975431 Ack=1945378387 Win=8488 Len=1460
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937975431 Win=64512 Len=0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937976891 Ack=1945378387 Win=8488 Len=1460
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190691 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937979811 Ack=1945378387 Win=8488 Len=124
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937975431 Win=64512 Len=0
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937978351 Win=64512 Len=0
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937979935 Win=64512 Len=0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190692 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937978351 Win=64512 Len=0
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937979935 Win=64512 Len=0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190692 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190692 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190692 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190693 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190693 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190693 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190693 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190694 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190694 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190694 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190694 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190695 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190695 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190695 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190695 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 33679 opnum: 7 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 33679 opnum: 7 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 33679 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 33679 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 33680 opnum: 9 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 33680 opnum: 9 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 33680 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 33680 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190696 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190696 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190696 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190696 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190697 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190697 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190697 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190697 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190698 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190698 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190698 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190698 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190699 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190699 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190699 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190699 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190700 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190700 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190700 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190700 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190701 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190701 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190701 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190701 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190702 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190702 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190702 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190702 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190703 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190703 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190703 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190703 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190704 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190704 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190704 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937983155 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937984615 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937986075 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190704 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937988995 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937990455 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937991915 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190704 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937994835 Ack=1945379939 Win=8472 Len=1460
0
Comment
Question by:dalva
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 21

Accepted Solution

by:
marc_nivens earned 500 total points
ID: 13624874
What you're seeing is RPC traffic with some TCP acks.  None of the RPC packets appear to be endpoint mapper searches or other endpoint binds so its most likely just normal client/server traffic.  Since RPC traffic is encrypted you're not going to be able to get much out of it, other than the fact that they're talking.  I know thats probably not the answer you're looking for, but trust me I've read hundreds of outlook/exchange RPC traces.  If you're looking to analyze this type of traffic net traces aren't going to work.... you'll need to run an RPC client trace (MS can give you the files to do this).
0
 
LVL 1

Author Comment

by:dalva
ID: 13625082
This capture was done from a location which would capture all conversations between the server and many other PCs.  The disturbing part is this PC consistently has much more traffic than any other PC.  I thought the PC might be a spam zombie.  I will wait a few days before closing out.  Any other perspectives out there?
0
 
LVL 21

Expert Comment

by:marc_nivens
ID: 13625159
A few explanations I can think of are:

- Other clients are in cached mode, this one is not
- Free/Busy update interval is lower on this client
- This client gets more mail than other users

0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question