This post is an update to “RPC to Go v.1.” I assume that you have read v.1 and have a basic understanding of how the RPC protocol works. We’ll take a closer look at the architecture, End Point Mapper bind and the RPC bind. At the end there will be a list of common problems and troubleshooting tools. Going forward, these “RPC to Go” blogs may be used as a troubleshooting reference.
Architecture – Notice where Marshalling happens
While describing RPC process in v.1 I mentioned Marshalling in passing. The RPC stubs and Runtime API were explained. Marshalling determines how the data is represented. The network data representations (NDR) are NDR20 (32-bit OS) and NDR64 (64-bit OS). The NDR or transfer syntax is common language of the client and server stubs. Although it rarely happens, there have been syntax conflicts. For instance, the application presents the correct UUID to the end point mapper, but the transfer syntax is incorrect. The client would get the following error “The transfer syntax is not supported by the RPC server”.
Client connection to the End Point Mapper.
A connection to the End Point Mapper requires a bind and a map request.
Frame 4: Bind request to the EndPoint mapper 4 10:41:50.101297 10.32.30.66 10.1.200.2 DCERPC Bind: call_id: 1 EPMv4 V3.0 Transmission Control Protocol, Src Port: sdo (3635), Dst Port: epmap (135), Seq: 1060393319, Ack: 3285256023, Len: 72 The 32bit NDR is presented in the request Transfer Syntax[1]: 8a885d04-1ceb-11c9-9fe8-08002b104860 V2
Frame 5: Bind_Ack from the EndPoint Mapper 5 10:41:50.102274 10.1.200.2 10.32.30.66 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
Inside frame 5:
DCE/RPC Endpoint Mapper, Map Operation: Map (3) [Response in frame: 7] UUID pointer: Referent ID: 0x00000001 UUID: 00000000-0000-0000-0000-000000000000 Tower pointer: Referent ID: 0x00000002 Length: 75 Length: 75 Number of floors: 5 Floor 1 UUID: LSA LHS Length: 19 Protocol: UUID (0x0d) UUID: LSA (12345778-1234-abcd-ef00-0123456789ab) Version 0.0 RHS Length: 2 Version Minor: 0 Floor 2 UUID: Version 1.1 network data representation protocol LHS Length: 19 Protocol: UUID (0x0d) UUID: Version 1.1 network data representation protocol (8a885d04-1ceb-11c9-9fe8-08002b104860) Version 2.0 RHS Length: 2 Version Minor: 0 Floor 3 RPC connection-oriented protocol LHS Length: 1 Protocol: RPC connection-oriented protocol (0x0b) RHS Length: 2 Floor 4 TCP Port:135 LHS Length: 1 Protocol: DOD TCP (0x07) RHS Length: 2 TCP Port: 135 Floor 5 IP:0.0.0.0 LHS Length: 1 Protocol: DOD IP (0x09) RHS Length: 4 IP: 0.0.0.0 (0.0.0.0) Handle: 0000000000000000000000000000000000000000 Max Towers: 4
The Map Response. The port is populated in floor 4 and the IP address populated in floor 5 of the tower. Two separate towers are sent with floor four populated with disparate port numbers. You will recall that there can only be one port and one IP address sent per tower. Multiple towers can be sent in one Map Response.
DCE/RPC Endpoint Mapper, Map Operation: Map (3) [Request in frame: 6] Handle: 0000000000000000000000000000000000000000 Num Towers: 2 Tower array: Max Count: 4 Offset: 0 Actual Count: 2 Tower pointer: Referent ID: 0x00000003 Length: 75 Length: 75 Number of floors: 5 Floor 1 UUID: LSA LHS Length: 19 Protocol: UUID (0x0d) UUID: LSA (12345778-1234-abcd-ef00-0123456789ab) Version 0.0 RHS Length: 2 Version Minor: 0 Floor 2 UUID: Version 1.1 network data representation protocol LHS Length: 19 Protocol: UUID (0x0d) UUID: Version 1.1 network data representation protocol (8a885d04-1ceb-11c9-9fe8-08002b104860) Version 2.0 RHS Length: 2 Version Minor: 0 Floor 3 RPC connection-oriented protocol LHS Length: 1 Protocol: RPC connection-oriented protocol (0x0b) RHS Length: 2 Floor 4 TCP Port:1600 LHS Length: 1 Protocol: DOD TCP (0x07) RHS Length: 2 TCP Port: 1600 -- Port to use for application access Floor 5 IP:10.1.200.2 LHS Length: 1 Protocol: DOD IP (0x09) RHS Length: 4 IP: 10.1.200.2 (10.1.200.2) – IP the application is listening on. Tower pointer: Referent ID: 0x00000004 Length: 75 Length: 75 Number of floors: 5 Floor 1 UUID: LSA LHS Length: 19 Protocol: UUID (0x0d) UUID: LSA (12345778-1234-abcd-ef00-0123456789ab) Version 0.0 RHS Length: 2 Version Minor: 0 Floor 2 UUID: Version 1.1 network data representation protocol LHS Length: 19 Protocol: UUID (0x0d) UUID: Version 1.1 network data representation protocol (8a885d04-1ceb-11c9-9fe8-08002b104860) Version 2.0 RHS Length: 2 Version Minor: 0 Floor 3 RPC connection-oriented protocol LHS Length: 1 Protocol: RPC connection-oriented protocol (0x0b) RHS Length: 2 Floor 4 TCP Port:1025 LHS Length: 1 Protocol: DOD TCP (0x07) RHS Length: 2 TCP Port: 1025 – Port to use for application access (different from first tower) Floor 5 IP:10.1.200.2 LHS Length: 1 Protocol: DOD IP (0x09) RHS Length: 4 IP: 10.1.200.2 (10.1.200.2) – IP application is listening on. Return code: 0x00000000
Connection to the App A connection to the application requires a successful RPC bind and the correct operation numbers (OpNum). Each bind is given is identified by a call_id.
Frame 11: RPC Bind Request from the client
11 10:41:50.148172 10.32.30.66 10.1.200.2 DCERPC Bind: call_id: 1 LSA V0.0
Frame 11 (184 bytes on wire, 184 bytes captured)
Internet Protocol, Src: 10.32.30.66 (10.32.30.66), Dst: 10.1.200.2 (10.1.200.2)
Transmission Control Protocol, Src Port: servistaitsm (3636), Dst Port: issd (1600), Seq: 3000314679, Ack: 2455167807, Len: 130
DCE RPC Bind, Fragment: Single, FragLen: 130, Call: 1
Frame 12: RPC Bind Ack from the Server
12 10:41:50.148172 10.1.200.2 10.32.30.66 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840
Frame 12 (134 bytes on wire, 134 bytes captured)
Internet Protocol, Src: 10.1.200.2 (10.1.200.2), Dst: 10.32.30.66 (10.32.30.66)
Transmission Control Protocol, Src Port: issd (1600), Dst Port: servistaitsm (3636), Seq: 2455167807, Ack: 3000314809, Len: 80
DCE RPC Bind_ack, Fragment: Single, FragLen: 80, Call: 1
Frame 13: You see the OpNum presented to the server.
RPC: c/o Request: LSARpc {12345778-1234-ABCD-EF00-0123456789AB} Call=0x1 Opnum=0x4C Context=0x0 Hint=0x7C
The conversation between the client and server continue with necessary OpNums until client process ends. (Like the Outlook Example from v.1, your inbox is populated)
- Each application has its own set of operation numbers.
Service Doesn’t Register with the Endpoint Mapper
Firewall blocking application port
UDP port 135 (epmap service): LISTENING or FILTERED
Querying Endpoint Mapper Database...
Server's response:
UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:169.254.12.191[4144]
UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:\\\\MYSERVER[\\PIPE\\lsass]
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:169.254.12.191[1030]
RPC is quite easy to understand and troubleshoot. The key to troubleshooting it is to understand where the breakdown occurs. You can ask yourself questions like:
I hope this blog gives you a closer look at RPC and saves you a support call or two.
- Rich Chambers
This is very helpful information on RPC, especially the details what shows up in a network capture. I've slogged through a number of network captures involving RPC and trying to piece together what each command means - every piece of information helps! I've read the documentation, and found it difficult to follow, so this smaller, focused example is useful.
In this blog I’d like to give some information on what Named Pipes are, what a Named Pipes connection
I captured IPv6 packets on Windows 2008, and got "DOD IP" zero. DCE RPC 1.1 didn't mention anything about IPv6. Are there any specs update for IPv6?
This blog is very helpful for me. These kind of explanation only i search may days. Thank you very much. If i have any doubt regarding this, may i cant to you. My mail smartjmc@gmail.com.