ra/radump - Decoding of NetBIOS user data
elof2 at sentor.se
elof2 at sentor.se
Tue Jul 2 08:03:59 EDT 2013
Hi Carter!
I have a request:
It would be nice if ra and/or radump could decode NetBIOS name strings
(half-ASCII) found in the user data.
Example:
ra -nr argus.log -s saddr sport dir daddr dport suser:120 - port 137
10.2.3.4.137 -> 10.2.3.255.137 s[120]=............ FHFAEBEECACACACACACACACACACACAAA.. .............. FHFAEBEECACACACACACACACACACACAAA.. .............. FHFAEBE
Instead I'd like ra to decode this and show:
10.2.3.4.137 -> 10.2.3.255.137 s[120]~=............ WPAD AA.. .............. WPAD AA.. .............. WPA.
See http://support.microsoft.com/kb/194203 for a static conversion table.
FH = W
FA = P
EB = A
EE = D
...and so on...
Apparently the host 10.2.3.4.137 is called "WPAD".
This identity information is what I'm looking for.
Suggestion:
If ra has converted the user data in any way, this could be indicated by
adding a ~ in front of the = like this: s[120]~=XXXXXXXXXXXXXXXXXX
I know that ra already has code to manipulate the user data, replacing
clear text passwords with "xxxxxxxx". This code section could be expanded
with a function to decode NetBIOS names.
...and/or make radump able to display the NetBIOS name string. The above
is only translated into:
s[46]="NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST"
I don't see the name "WPAD" there. :-/
/Elof
More information about the argus
mailing list