Hi Brett,
I am familiar with DCE-RPC, but I haven’t worked with DCE-RPC over UDP in a long time. Looking at the PCAP you sent, it appears PROFINET_IO_CM protocol does not use the DCE-RPC endpoint mapper service. I think this is the problem. If it used the endpoint mapper service, then I believe you would first see DCE-RPC traffic to port 135 (with the epmapper UUID in the DCE-RPC header); then it would get mapped to an ephemeral high port; and I think Zeek might stand a chance of recognizing the entire transaction. Instead, the PROFINET_IO_CM serve just changes the port from which it responds, without the formalities of the epmapper service, making it appear like a new “connection”.
Mark
Mark I. Fernandez
MITRE Corporation
Email: mfernandez@mitre.org