ra/radump - Decoding of NetBIOS user data
Carter Bullard
carter at qosient.com
Tue Jul 2 08:32:11 EDT 2013
Hey Elof2,
I usually don't want to support sheer stupidity,..., isn't this one
of those cases? We have a number of "printer"s for ra user data,
we can define a printer that does what you want. Are there other
protocols that have their own encodings?
While I see a conversion path, what is this ? Why on earth did they
do it this way?
Carter
On Jul 2, 2013, at 8:03 AM, elof2 at sentor.se wrote:
>
> Hi Carter!
>
> I have a request:
>
> It would be nice if ra and/or radump could decode NetBIOS name strings (half-ASCII) found in the user data.
>
>
> Example:
> ra -nr argus.log -s saddr sport dir daddr dport suser:120 - port 137
> 10.2.3.4.137 -> 10.2.3.255.137 s[120]=............ FHFAEBEECACACACACACACACACACACAAA.. .............. FHFAEBEECACACACACACACACACACACAAA.. .............. FHFAEBE
>
> Instead I'd like ra to decode this and show:
>
> 10.2.3.4.137 -> 10.2.3.255.137 s[120]~=............ WPAD AA.. .............. WPAD AA.. .............. WPA.
>
> See http://support.microsoft.com/kb/194203 for a static conversion table.
> FH = W
> FA = P
> EB = A
> EE = D
> ...and so on...
>
>
> Apparently the host 10.2.3.4.137 is called "WPAD".
> This identity information is what I'm looking for.
>
>
> Suggestion:
> If ra has converted the user data in any way, this could be indicated by adding a ~ in front of the = like this: s[120]~=XXXXXXXXXXXXXXXXXX
>
>
> I know that ra already has code to manipulate the user data, replacing clear text passwords with "xxxxxxxx". This code section could be expanded with a function to decode NetBIOS names.
>
>
>
> ...and/or make radump able to display the NetBIOS name string. The above is only translated into:
> s[46]="NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST"
> I don't see the name "WPAD" there. :-/
>
> /Elof
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130702/3de324a5/attachment.bin>
More information about the argus
mailing list