Hello ! After dcerpc2 processing, is it a pseudo packet that goes thru the matching engine? [ i.e. passed to Detect( ) ] In case of an alert, is there a way to log the actual packet payload? Also could someone explain briefly the use of stack in dcerpc2 - DCE2_CStackTop - DCE2_PushPkt - DCE2_PopPkt Thanks much for the help!