radump more tshark-like?

Carter Bullard carter at qosient.com
Tue Jul 2 08:58:18 EDT 2013


One other thing.  What do we want to do with this ?  Grep for a name?
We grep on the printer's output buffer, we don't currently grep on radump()s ouput buffer, so putting the Netbios decode only in radump() will get us only so far.

Carter

On Jul 2, 2013, at 8:36 AM, Carter Bullard <carter at qosient.com> wrote:

> Hey Elof2,
> I don't have any problems making the change, just need to know when to do it.
> Applying a strange decoding to non-Netbios traffic isn't going to do much positive.
> 
> I think we should define a printer, call it "extended", which is where we implement
> any of these protocol specific decoding capabilities?
> 
> OR
> 
> we just do it in radump(), and leave ra() alone?
> 
> Carter
> 
> On Jul 2, 2013, at 8:24 AM, elof2 at sentor.se wrote:
> 
>> 
>> Hi Carter!
>> 
>> I see in the manual for radump that it is tcpdump-like.
>> Would it be lots of work to make it more tshark-like instead?
>> 
>> tcpdump is not parsing Microsoft networking very well (ports 135, 137-139, 445). Tshark on the other hand usually manages to show what I'm interested in, i.e. the machine name, domain, login name, etc.
>> 
>> 
>> It is mainly the Microsoft protocols I need decoded, but naturally other common protocols that can reveal the identity behind an IP address would be interesting.
>> 
>> 
>> 
>> 
>> 
>> In my last email I was asking for a function to decode the NetBIOS half-ASCII.
>> It would also be nice if data like this:
>> ......H.&.\.\.E.U.R.S.T.H.L.M.D.C.0.1.\.I.P.C.$.....
>> was decoded into strings:
>> ......H.&.\\EURSTHLMDC01\IPC$.....
>> 
>> /Elof
> 



More information about the argus mailing list