Microsoft Network Logon (RPCNetlogon)
RPCNetlogon provides workstations, member servers and trusted domains with access to the centralised, shared authentication database in WinNT networks. This protocol also includes NT4 level syncrosisation of user accounts between a PDC and BDC, as well as many other services.
XXX - add a brief description of RPCNetlogon history
- ["DCE/RPC"]: RPCNetlogon uses ["DCE/RPC"] as its transport protocol.
XXX - Add example traffic here (as plain text or Ethereal screenshot).
The RPCNetlogon dissector is partially functional. There are still a number of unknown commands and feilds.
(XXX add links to preference settings affecting how RPCNetlogon is dissected).
Example capture file
XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Ethereal can open gzipped files automatically.
A complete list of RPCNetlogon display filter fields can be found in the [http://www.ethereal.com/docs/dfref/r/rpc_netlogon.html display filter reference]
Show only the RPCNetlogon based traffic:
You cannot directly filter RPCNetlogon protocols while capturing.
[http://samba.org/ftp/unpacked/samba4/source/librpc/idl/netlogon.idl Samba4 IDL] for RPCNetlogon
We still don't entirely understand this protocol, and we have some of these on the RPCNetlogon/OpenQuestions page.