1 # portmap request for mountd [or whatever; see where prog=MOUNT] 2 # send to UDP 111 and hope it's not a logging portmapper! 3 # split into longwords, since rpc apparently only deals with them 4 5 001 # 0x01 # . # XID: 4 trash bytes 6 002 # 0x02 # . 7 003 # 0x03 # . 8 004 # 0x04 # . 9 10 000 # 0x00 # . # MSG: int 0=call, 1=reply 11 000 # 0x00 # . 12 000 # 0x00 # . 13 000 # 0x00 # . 14 15 000 # 0x00 # . # pmap call body: rpc version=2 16 000 # 0x00 # . 17 000 # 0x00 # . 18 002 # 0x02 # . 19 20 000 # 0x00 # . # pmap call body: prog=PMAP, 100000 21 001 # 0x01 # . 22 134 # 0x86 # . 23 160 # 0xa0 # . 24 25 000 # 0x00 # . # pmap call body: progversion=2 26 000 # 0x00 # . 27 000 # 0x00 # . 28 002 # 0x02 # . 29 30 000 # 0x00 # . # pmap call body: proc=GETPORT, 3 31 000 # 0x00 # . 32 000 # 0x00 # . 33 003 # 0x03 # . 34 35 # with AUTH_NONE, there are 4 zero integers [16 bytes] here 36 37 000 # 0x00 # . # auth junk: cb_cred: auth_unix = 1; NONE = 0 38 000 # 0x00 # . 39 000 # 0x00 # . 40 000 # 0x00 # . 41 42 000 # 0x00 # . # auth junk 43 000 # 0x00 # . 44 000 # 0x00 # . 45 000 # 0x00 # . 46 47 000 # 0x00 # . # auth junk 48 000 # 0x00 # . 49 000 # 0x00 # . 50 000 # 0x00 # . 51 52 000 # 0x00 # . # auth junk 53 000 # 0x00 # . 54 000 # 0x00 # . 55 000 # 0x00 # . 56 57 000 # 0x00 # . # prog=MOUNT, 100005 58 001 # 0x01 # . 59 134 # 0x86 # . 60 165 # 0xa5 # . 61 62 000 # 0x00 # . # progversion=1 63 000 # 0x00 # . 64 000 # 0x00 # . 65 001 # 0x01 # . 66 67 000 # 0x00 # . # protocol=udp, 17 68 000 # 0x00 # . 69 000 # 0x00 # . 70 017 # 0x11 # . 71 72 000 # 0x00 # . # proc num = junk 73 000 # 0x00 # . 74 000 # 0x00 # . 75 000 # 0x00 # . 76 77 # The reply you get back contains your XID, int 1 if "accepted", and 78 # mountd's port number at the end or 0 if not registered. 79