Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

What does this packet capture between PC and Exchange server mean?

Posted on 2005-03-24
3
Medium Priority
?
585 Views
Last Modified: 2013-12-23
Recently while using ethereal we came across this conversation between a user PC with XP and our Exchange server.  I am looking to understand what the conversation is about.  This is only a sampling of 100 lines in the order they occurred.  I would like to hear from someone who is knowledgeable in these matters and not just guessing what might be going on.  This capture took place when the user was not using their PC.  Feel free to request more information.

Source          Destination      Protocol Info
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190688 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190688 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190688 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190688 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190689 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190689 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190689 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190689 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190690 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190690 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190690 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190690 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190691 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190691 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190691 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937973971 Ack=1945378387 Win=8488 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937975431 Ack=1945378387 Win=8488 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937976891 Ack=1945378387 Win=8488 Len=1460
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190691 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937979811 Ack=1945378387 Win=8488 Len=124
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190691 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937973971 Ack=1945378387 Win=8488 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937975431 Ack=1945378387 Win=8488 Len=1460
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937975431 Win=64512 Len=0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937976891 Ack=1945378387 Win=8488 Len=1460
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190691 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937979811 Ack=1945378387 Win=8488 Len=124
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937975431 Win=64512 Len=0
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937978351 Win=64512 Len=0
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937979935 Win=64512 Len=0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190692 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937978351 Win=64512 Len=0
XXX.46.32.215   XX.5.80.40       TCP      1936 > 1060 [ACK] Seq=1945378387 Ack=937979935 Win=64512 Len=0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190692 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190692 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190692 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190693 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190693 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190693 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190693 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190694 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190694 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190694 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190694 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190695 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190695 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190695 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190695 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 33679 opnum: 7 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 33679 opnum: 7 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 33679 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 33679 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 33680 opnum: 9 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 33680 opnum: 9 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 33680 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 33680 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190696 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190696 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190696 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190696 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190697 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190697 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190697 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190697 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190698 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190698 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190698 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190698 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190699 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190699 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190699 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190699 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190700 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190700 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190700 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190700 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190701 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190701 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190701 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190701 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190702 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190702 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190702 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190702 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190703 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190703 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190703 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190703 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190704 opnum: 2 ctx_id: 0
XXX.46.32.215   XX.5.80.40       DCERPC   Request: call_id: 190704 opnum: 2 ctx_id: 0
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190704 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937983155 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937984615 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937986075 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190704 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937988995 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937990455 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [PSH, ACK] Seq=937991915 Ack=1945379939 Win=8472 Len=1460
XX.5.80.40      XXX.46.32.215    DCERPC   Response: call_id: 190704 ctx_id: 0
XX.5.80.40      XXX.46.32.215    TCP      1060 > 1936 [ACK] Seq=937994835 Ack=1945379939 Win=8472 Len=1460
0
Comment
Question by:dalva
  • 2
3 Comments
 
LVL 21

Accepted Solution

by:
marc_nivens earned 500 total points
ID: 13624874
What you're seeing is RPC traffic with some TCP acks.  None of the RPC packets appear to be endpoint mapper searches or other endpoint binds so its most likely just normal client/server traffic.  Since RPC traffic is encrypted you're not going to be able to get much out of it, other than the fact that they're talking.  I know thats probably not the answer you're looking for, but trust me I've read hundreds of outlook/exchange RPC traces.  If you're looking to analyze this type of traffic net traces aren't going to work.... you'll need to run an RPC client trace (MS can give you the files to do this).
0
 
LVL 1

Author Comment

by:dalva
ID: 13625082
This capture was done from a location which would capture all conversations between the server and many other PCs.  The disturbing part is this PC consistently has much more traffic than any other PC.  I thought the PC might be a spam zombie.  I will wait a few days before closing out.  Any other perspectives out there?
0
 
LVL 21

Expert Comment

by:marc_nivens
ID: 13625159
A few explanations I can think of are:

- Other clients are in cached mode, this one is not
- Free/Busy update interval is lower on this client
- This client gets more mail than other users

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question