Differences between revisions 1 and 2
Revision 1 as of 2005-11-29 02:32:46
Size: 1724
Comment:
Revision 2 as of 2006-06-05 03:19:16
Size: 1727
Editor: localhost
Comment:
Deletions are marked like this. Additions are marked like this.
Line 17: Line 17:
XXX - Add example traffic here (as plain text or Ethereal screenshot). XXX - Add example traffic here (as plain text or Wireshark screenshot).
Line 19: Line 19:
== Ethereal == == Wireshark ==
Line 32: Line 32:
A complete list of INITSHUTDOWN display filter fields can be found in the [http://www.ethereal.com/docs/dfref/i/initshutdown.html display filter reference] A complete list of INITSHUTDOWN display filter fields can be found in the [http://www.wireshark.org/docs/dfref/i/initshutdown.html display filter reference]

Microsoft INITSHUTDOWN interface

This is a ["DCE/RPC"] based protocol used by ["CIFS"] hosts to remotely shutdown or restart other ["CIFS"] hosts. This dissector is described by an IDL file and is automatically generated by the ["Pidl"] compiler.

History

This protocol first appeared with the release of Active Directory (Windows 2000).

Protocol dependencies

  • ["DCE/RPC"]: This protocol is implemented ontop of the ["DCE/RPC"] transport. This protocol is often access from the \PIPE\InitShutdown named pipe on IPC$ but in some cases, it can also be reached through a dynamically assigned ["TCP"] port.

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).

Wireshark

The INITSHUTDOWN dissector is fully functional.

Preference Settings

There are no preference settings specific to the INITSHUTDOWN protocol.

Example capture file

Someone should donate a capture for this protocol

Display Filter

A complete list of INITSHUTDOWN display filter fields can be found in the [http://www.wireshark.org/docs/dfref/i/initshutdown.html display filter reference]

  • Show only the INITSHUTDOWN based traffic:

     initshutdown 

Capture Filter

You cannot directly filter INITSHUTDOWN protocols while capturing.

Protocol Functions

The INITSHUTDOWN interface supports the following operations:

  • ["initshutdown_Init"]
  • ["initshutdown_Abort"]
  • ["initshutdown_InitEx"]

Discussion

INITSHUTDOWN (last edited 2008-04-12 17:51:29 by localhost)