Using Network Monitor for Custom RPC

In many cases, it may not be obvious what specific interfaces a particular application uses to connect to another server. This is particularly true with RPC UUIDs, which are not always published in documentation or on the Internet. In cases where custom protocol definitions need to be made for securing the service, but the UUIDs are unknown, using a network packet capture tool is a useful approach for identifying which types of interfaces to allow.

Windows Server 2003 includes a free Network Monitor tool that can be installed on any server to monitor the packets that are sent directly to that particular server. It can be installed on a destination server, for example, to identify which RPC interfaces a particular application is using, for example.

Installing Network Monitor

The first step to inspecting the RPC packets and creating a custom rule based on the UUIDs of a service is to install the Network Monitor on the server. For the procedure to install Network Monitor on a Windows Server 2003 system, perform the following steps:


It might be useful to install Network Monitor on an ISA server to assist in troubleshooting problems and monitoring traffic sent to it. It can also be used to determine which types of RPC traffic are hitting ISA's network interfaces, which can be useful for the type of scenario being described as well.


Go to Start, Control Panel, Add or Remove Programs.


Click Add/Remove Windows Components.


Scroll down under Components and click on the text of Management and Monitoring Tools to select it (don't check the box, just click on the text).


Click the Details button.


Check the box next to Network Monitor Tools, as shown in Figure 15.8. Click OK.

Figure 15.8. Installing Network Monitor.


Click Next to continue.


Enter the Windows Server 2003 media if prompted and click OK.


Click Finish.

Using Network Monitor to Scan Traffic for RPC UUIDs

After it has been installed, Network Monitor can be used to take snapshots of the packets that hit the network interfaces that are installed on the server. Looking through these packets can help to identify critical pieces of information, such as which UUIDs are being called for. To start the process, start Network Monitor and capture some data through the following process:


During the data capture, the application that is to be tested for UUID transmittal must be run against the server in question. Also, systems with multiple network cards need to choose which network to scan.


Open Network Monitor (Start, Administrative Tools, Network Monitor).


Click on Capture, Start, as shown in Figure 15.9.

Figure 15.9. Capturing packets with Network Monitor.


After the application has been run, and enough time has passed to capture all the packets that hit the server, click Capture, Stop and View.

After the capture is complete, look through the packet Description for ones that start with c/o RPC Bind: UUID, similar to what is shown in Figure 15.10. Look for each of the UUIDs that were requested by the server, and take note of them for use in the custom RPC protocol definition.

Figure 15.10. Looking for RPC UUIDs in Network Monitor traffic.


Because the UUID needs to be entered without typos, it may be wise to cut and paste the results of Network Monitor into Notepad, so that it can be used later in the creation of the RPC protocol definition.

Using Network Monitor is an excellent way to ascertain what type of traffic an application uses. This information can then be easily translated into a custom filter rule in ISA, further securing the traffic sent between networks protected by ISA servers.

    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: