radump more tshark-like?
Carter Bullard
carter at qosient.com
Tue Jul 2 08:36:35 EDT 2013
Hey Elof2,
I don't have any problems making the change, just need to know when to do it.
Applying a strange decoding to non-Netbios traffic isn't going to do much positive.
I think we should define a printer, call it "extended", which is where we implement
any of these protocol specific decoding capabilities?
OR
we just do it in radump(), and leave ra() alone?
Carter
On Jul 2, 2013, at 8:24 AM, elof2 at sentor.se wrote:
>
> Hi Carter!
>
> I see in the manual for radump that it is tcpdump-like.
> Would it be lots of work to make it more tshark-like instead?
>
> tcpdump is not parsing Microsoft networking very well (ports 135, 137-139, 445). Tshark on the other hand usually manages to show what I'm interested in, i.e. the machine name, domain, login name, etc.
>
>
> It is mainly the Microsoft protocols I need decoded, but naturally other common protocols that can reveal the identity behind an IP address would be interesting.
>
>
>
>
>
> In my last email I was asking for a function to decode the NetBIOS half-ASCII.
> It would also be nice if data like this:
> ......H.&.\.\.E.U.R.S.T.H.L.M.D.C.0.1.\.I.P.C.$.....
> was decoded into strings:
> ......H.&.\\EURSTHLMDC01\IPC$.....
>
> /Elof
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130702/cd26d4d4/attachment.bin>
More information about the argus
mailing list