none
64bit Exchange Server RPC EPM request format RRS feed

  • Question

  • Hi Experts,

     

    I have a RPC packet capture file, NDR64 transfer syntax is used.  

    According the decoding result of Network Monitor, I can see that, the 

    tower length is 8bytes in the packet, however from the definition of MSDN,

    we can see that tower_length is unsigned long, this should be 4 bytes in 

    packet, right? 

     

    Is it possible that the definition is kind of obsolete?

    Or I missed something about NDR64 marshaling engine?

     

    typedef struct {

      [range(0,2000)] unsigned long tower_length;  <==== unsigned long type

      [size_is(tower_length)] BYTE tower_octet_string[];

    } twr_t, 

     *twr_p_t;

     

     

      Frame: Number = 185, Captured Frame Length = 222, MediaType = ETHERNET

    + Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-10-DB-FF-21-50],SourceAddress:[00-50-56-80-00-18]

    + Ipv4: Src = 10.11.9.20, Dest = 10.3.16.21, Next Protocol = TCP, Packet ID = 5611, Total IP Length = 208

    + Tcp: Flags=...AP..., SrcPort=14831, DstPort=DCE endpoint resolution(135), PayloadLen=168, Seq=4048780368 - 4048780536, Ack=1222423542, Win=63960 (scale factor 0x0) = 63960

    - Msrpc: c/o Request: EPT(EPMP) {E1AF8308-5D1F-11C9-91A4-08002B14A0FA}  Call=0x7  Opnum=0x3  Context=0x1  Hint=0x90 

      + Request: 

    - Epm: Request: ept_map: NDR, {37FC1B02-DA36-4B27-A745-BF2F58A98FF6} v3.0, RPC v5, 0.0.0.0:135 (0x87) [DCE endpoint resolution(135)]

      + Object: {00000000-0000-0000-0000-000000000000}

      - MapTower: Pointer To 0x0000000000000002

       - TwrTPointer: Pointer To 0x0000000000000002

          ReferentID: 0x0000000000000002

       - Tower: NDR, {37FC1B02-DA36-4B27-A745-BF2F58A98FF6} v3.0, RPC v5, 0.0.0.0:135 (0x87) [DCE endpoint resolution(135)]

        + Length: 75 Elements  <---- this is 8 bytes(64bit)

          TowerLength: 75 (0x4B)

        - Floors: NDR, {37FC1B02-DA36-4B27-A745-BF2F58A98FF6} v3.0, RPC v5, 0.0.0.0:135 (0x87) [DCE endpoint resolution(135)]

           FloorCount: 5 (0x5)

         + InterfaceIdentifier: {37FC1B02-DA36-4B27-A745-BF2F58A98FF6} v3.0

         + DataRepresentation: UUID NDR {8A885D04-1CEB-11C9-9FE8-08002B104860} v2.0

         + ProtocolIdentifier: RPC Connection-oriented v5.0

         + PortAddr: port: 135 (0x87) [DCE endpoint resolution(135)], type: DOD TCP port

         + HostAddr: address: 0.0.0.0, type: DOD IP v4 big-endian

      + Pad: 1 Bytes

      + EntryHandle: 0x1

        MaxTowers: 4 (0x4)

     

    Thursday, September 15, 2011 6:39 AM

Answers

  • Hi Tawler:

    The tower_length is 32 bit in NDR64 as well, as you mentioned in MS-RPCE. I also confirmed that Netmon version 3.4 parses the emp_map request correctly and shows it as 4 bytes. Netmon shows the parameter of method epm_map in the network traces. As shown in MS-RPCE, section 2.2.1.2.5.

     

    Please upgrade to the latest version of netmon. If you still observe the same behavior, please send the network trace to my attention to dochelp <at> Microsoft <dot> com.
    Regards, Obaid Farooqi
    Sunday, September 18, 2011 4:28 PM
    Owner

All replies

  • Hi Tawler:

    I have alerted the protocol documentation team regarding your inquiry. A member of the team will be in touch soon.


    Regards, Obaid Farooqi
    Thursday, September 15, 2011 8:46 PM
    Owner
  • Hi Tawler:

    I will look into this issue and will be in touch through this thread as soon as I have an answer.


    Regards, Obaid Farooqi
    Friday, September 16, 2011 3:48 PM
    Owner
  • An unsigned long is 32 bits - unchanged from C706. It doesn't matter what the server architecture is (obviously, since this is wire protocol). hyper is the 64 bit version.

    Trust this helps.

    Brad

    Friday, September 16, 2011 11:36 PM
  • Hi Tawler:

    The tower_length is 32 bit in NDR64 as well, as you mentioned in MS-RPCE. I also confirmed that Netmon version 3.4 parses the emp_map request correctly and shows it as 4 bytes. Netmon shows the parameter of method epm_map in the network traces. As shown in MS-RPCE, section 2.2.1.2.5.

     

    Please upgrade to the latest version of netmon. If you still observe the same behavior, please send the network trace to my attention to dochelp <at> Microsoft <dot> com.
    Regards, Obaid Farooqi
    Sunday, September 18, 2011 4:28 PM
    Owner
  • Hi Obaid,
    Thank you for the response, I have checked the MS-RPCE and figured out that :
    Length: 75 Elements  <---- this is 8 bytes(64bit)
    this is not the member variable: tower_length but the array size of the tower_octet_string[] (opaque conformant byte array).
    It should be 8bytes in NDR64.

    Thank you again.  :-)


    Hi Tawler:

    The tower_length is 32 bit in NDR64 as well, as you mentioned in MS-RPCE. I also confirmed that Netmon version 3.4 parses the emp_map request correctly and shows it as 4 bytes. Netmon shows the parameter of method epm_map in the network traces. As shown in MS-RPCE, section 2.2.1.2.5.

     

    Please upgrade to the latest version of netmon. If you still observe the same behavior, please send the network trace to my attention to dochelp <at> Microsoft <dot> com.
    Regards, Obaid Farooqi

    Tuesday, September 20, 2011 4:53 AM