radump more tshark-like?

David Edelman dedelman at iname.com
Tue Jul 2 19:06:18 EDT 2013


I actually hit the same problem and came up with a perl script called
radecode which uses tshark, text2pcap, and ra to do a pretty useful packet
decode. It is very vaguely based on the style of rahosts but it shows what
you can do if you want to roll your own client.

Carter, feel free to include and distribute it if you wish. Everyone else is
free to use and improve it.

--Dave



radecode -r *  -N o3 -   udp and host 10.1.1.101 and host 10.1.1.8
Input from: Standard input
Output to: /tmp/file11cHA8
Generate dummy Ethernet header: Protocol: 0x800
Generate dummy IP header: Protocol: 17
Generate dummy UDP header: Source port: 63293. Dest port: 161
Wrote packet of 204 bytes at 0
Wrote packet of 204 bytes at 204
Wrote packet of 255 bytes at 408
Read 3 potential packets, wrote 3 packets
Running as user "root" and group "root". This could be dangerous.
Frame 1: 246 bytes on wire (1968 bits), 246 bytes captured (1968 bits)
    WTAP_ENCAP: 1
    Arrival Time: Jul  2, 2013 22:54:39.000000000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1372805679.000000000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 246 bytes (1968 bits)
    Capture Length: 246 bytes (1968 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:snmp:data]
Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
    Destination: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
        Address: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
        .... ..1. .... .... .... .... = LG bit: Locally administered address
(this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
        Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
        .... ..1. .... .... .... .... = LG bit: Locally administered address
(this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.8
(10.1.1.8)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)
    Total Length: 232
    Identification: 0x1234 (4660)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x91cb [correct]
        [Good: True]
        [Bad: False]
    Source: 10.1.1.101 (10.1.1.101)
    Destination: 10.1.1.8 (10.1.1.8)
User Datagram Protocol, Src Port: 63293 (63293), Dst Port: snmp (161)
    Source port: 63293 (63293)
    Destination port: snmp (161)
    Length: 212
    Checksum: 0xa214 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Simple Network Management Protocol
    version: version-1 (0)
    community: public
    data: get-request (0)
        get-request
            request-id: 1588204485
            error-status: noError (0)
            error-index: 0
            variable-bindings: 1 item
                1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0: Value (Null)
                    Object Name: 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0
(iso.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0)
                    Value (Null)
Data (153 bytes)

0000  30 31 02 01 00 04 06 70 75 62 6c 69 63 a0 24 02   01.....public.$.
0010  04 5e aa 13 c5 02 01 00 02 01 00 30 16 30 14 06   .^.........0.0..
0020  10 2b 06 01 04 01 0b 02 03 09 04 02 01 01 03 03   .+..............
0030  00 05 00 30 31 02 01 00 04 06 70 75 62 6c 69 63   ...01.....public
0040  a0 24 02 04 5e aa 13 c5 02 01 00 02 01 00 30 16   .$..^.........0.
0050  30 14 06 10 2b 06 01 04 01 0b 02 03 09 04 02 01   0...+...........
0060  01 03 03 00 05 00 30 31 02 01 00 04 06 70 75 62   ......01.....pub
0070  6c 69 63 a0 24 02 04 5e aa 13 c5 02 01 00 02 01   lic.$..^........
0080  00 30 16 30 14 06 10 2b 06 01 04 01 0b 02 03 09   .0.0...+........
0090  04 02 01 01 03 03 00 05 00                        .........
    Data: 303102010004067075626c6963a02402045eaa13c5020100...
    [Length: 153]

Frame 2: 246 bytes on wire (1968 bits), 246 bytes captured (1968 bits)
    WTAP_ENCAP: 1
    Arrival Time: Jul  2, 2013 22:54:39.000001000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1372805679.000001000 seconds
    [Time delta from previous captured frame: 0.000001000 seconds]
    [Time delta from previous displayed frame: 0.000001000 seconds]
    [Time since reference or first frame: 0.000001000 seconds]
    Frame Number: 2
    Frame Length: 246 bytes (1968 bits)
    Capture Length: 246 bytes (1968 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:snmp:data]
Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
    Destination: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
        Address: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
        .... ..1. .... .... .... .... = LG bit: Locally administered address
(this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
        Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
        .... ..1. .... .... .... .... = LG bit: Locally administered address
(this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.8
(10.1.1.8)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)
    Total Length: 232
    Identification: 0x1234 (4660)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x91cb [correct]
        [Good: True]
        [Bad: False]
    Source: 10.1.1.101 (10.1.1.101)
    Destination: 10.1.1.8 (10.1.1.8)
User Datagram Protocol, Src Port: 63293 (63293), Dst Port: snmp (161)
    Source port: 63293 (63293)
    Destination port: snmp (161)
    Length: 212
    Checksum: 0xa012 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Simple Network Management Protocol
    version: version-1 (0)
    community: public
    data: get-request (0)
        get-request
            request-id: 1588204486
            error-status: noError (0)
            error-index: 0
            variable-bindings: 1 item
                1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0: Value (Null)
                    Object Name: 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0
(iso.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0)
                    Value (Null)
Data (153 bytes)

0000  30 31 02 01 00 04 06 70 75 62 6c 69 63 a0 24 02   01.....public.$.
0010  04 5e aa 13 c6 02 01 00 02 01 00 30 16 30 14 06   .^.........0.0..
0020  10 2b 06 01 04 01 0b 02 03 09 04 02 01 01 03 03   .+..............
0030  00 05 00 30 31 02 01 00 04 06 70 75 62 6c 69 63   ...01.....public
0040  a0 24 02 04 5e aa 13 c6 02 01 00 02 01 00 30 16   .$..^.........0.
0050  30 14 06 10 2b 06 01 04 01 0b 02 03 09 04 02 01   0...+...........
0060  01 03 03 00 05 00 30 31 02 01 00 04 06 70 75 62   ......01.....pub
0070  6c 69 63 a0 24 02 04 5e aa 13 c6 02 01 00 02 01   lic.$..^........
0080  00 30 16 30 14 06 10 2b 06 01 04 01 0b 02 03 09   .0.0...+........
0090  04 02 01 01 03 03 00 05 00                        .........
    Data: 303102010004067075626c6963a02402045eaa13c6020100...
    [Length: 153]

Frame 3: 297 bytes on wire (2376 bits), 297 bytes captured (2376 bits)
    WTAP_ENCAP: 1
    Arrival Time: Jul  2, 2013 22:54:39.000002000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1372805679.000002000 seconds
    [Time delta from previous captured frame: 0.000001000 seconds]
    [Time delta from previous displayed frame: 0.000001000 seconds]
    [Time since reference or first frame: 0.000002000 seconds]
    Frame Number: 3
    Frame Length: 297 bytes (2376 bits)
    Capture Length: 297 bytes (2376 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:snmp:data]
Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
    Destination: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
        Address: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
        .... ..1. .... .... .... .... = LG bit: Locally administered address
(this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
        Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
        .... ..1. .... .... .... .... = LG bit: Locally administered address
(this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.8
(10.1.1.8)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)
    Total Length: 283
    Identification: 0x1234 (4660)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x9198 [correct]
        [Good: True]
        [Bad: False]
    Source: 10.1.1.101 (10.1.1.101)
    Destination: 10.1.1.8 (10.1.1.8)
User Datagram Protocol, Src Port: 63293 (63293), Dst Port: snmp (161)
    Source port: 63293 (63293)
    Destination port: snmp (161)
    Length: 263
    Checksum: 0x2877 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Simple Network Management Protocol
    version: version-1 (0)
    community: public
    data: get-request (0)
        get-request
            request-id: 1588204487
            error-status: noError (0)
            error-index: 0
            variable-bindings: 1 item
                1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0: Value (Null)
                    Object Name: 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0
(iso.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0)
                    Value (Null)
Data (204 bytes)

0000  30 31 02 01 00 04 06 70 75 62 6c 69 63 a0 24 02   01.....public.$.
0010  04 5e aa 13 c7 02 01 00 02 01 00 30 16 30 14 06   .^.........0.0..
0020  10 2b 06 01 04 01 0b 02 03 09 04 02 01 01 03 03   .+..............
0030  00 05 00 30 31 02 01 00 04 06 70 75 62 6c 69 63   ...01.....public
0040  a0 24 02 04 5e aa 13 c7 02 01 00 02 01 00 30 16   .$..^.........0.
0050  30 14 06 10 2b 06 01 04 01 0b 02 03 09 04 02 01   0...+...........
0060  01 03 03 00 05 00 30 31 02 01 00 04 06 70 75 62   ......01.....pub
0070  6c 69 63 a0 24 02 04 5e aa 13 c7 02 01 00 02 01   lic.$..^........
0080  00 30 16 30 14 06 10 2b 06 01 04 01 0b 02 03 09   .0.0...+........
0090  04 02 01 01 03 03 00 05 00 30 31 02 01 00 04 06   .........01.....
00a0  70 75 62 6c 69 63 a0 24 02 04 5e aa 13 c7 02 01   public.$..^.....
00b0  00 02 01 00 30 16 30 14 06 10 2b 06 01 04 01 0b   ....0.0...+.....
00c0  02 03 09 04 02 01 01 03 03 00 05 00               ............
    Data: 303102010004067075626c6963a02402045eaa13c7020100...
    [Length: 204]



-----Original Message-----
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Matt Brown
Sent: Tuesday, July 02, 2013 3:58 PM
To: Carter Bullard
Cc: Argus Development
Subject: Re: [ARGUS] radump more tshark-like?

Had to remove the prepended '0x' with sed, and still seeing some
errors.  Problems are outside of this list though.


Thanks,

Matt



On Jul 2, 2013, at 3:28 PM, Carter Bullard <carter at qosient.com> wrote:

> we have that.  the hex printer works well.
>
>   ra -S argus.source -M printer=hex -s +suser:64 +duser:64
>
> Carter
>
> On Jul 2, 2013, at 11:27 AM, Matt Brown <matthewbrown at gmail.com> wrote:
>
>> Sorry if this is outside this thread...
>>
>> It would be great to create a hex output printer that conforms to
>> something readable by wireshark's text2pcap.
>>
>> 000000 0a 0b 0c 0d
>> ...
>>
>> http://www.wireshark.org/docs/man-pages/text2pcap.html
>>
>>
>> Carter, what do you think?
>>
>>
>> Thanks,
>>
>> Matt
>>
>> On Jul 2, 2013, at 10:48 AM, "elof2 at sentor.se" <elof2 at sentor.se> wrote:
>>
>>>
>>> Since ra and radump are pretty simillar, and since people usually use ra
prior to other ra-tools when browsing through data, I'd say both of them
should have the new printer.
>>>
>>> What I want to do with this new functionality is to try to find the
identity of an IP by looking at the argus data.
>>>
>>> Lets say that I just now got an alert from last week, telling me that IP
10.2.3.4 show traces of a malicious bot infection.
>>> Lets say there are hundreds of different subnets, and no documentation
of the network. The only thing I know is that 10.2.3.x is some office in
India.
>>> I then need to try to figure out as much as possible about 10.2.3.4 in
order to understand which machine is infected ...to be able to tell the
technician over which machine to re-install.
>>>
>>>
>>> The following three extended-printers would be nice:
>>>
>>> strip-all-binary)
>>> For all data:
>>> When printing the user data, only echo printable characters. I.e.
>>> supress printing all the placeholder dots for binary data.
>>> decode-netbios-names)
>>> For UDP data on ports 137 and 138: (or on all data?)
>>> find half-ASCII strings and convert them to cleartext
>>> (http://support.microsoft.com/kb/194203)
>>> decode-barred-smb)
>>> For all data (or possibly only TCP data on port 445):
>>> find strings (paths, filenames, UNC paths, etc) that are barred with
>>> dots and remove the dots, leaving only the clean string.
>>> * \.\.E.U.R.S.T.H.L.M.D.C.0.1.\.I.P.C.$   ->   \\EURSTHLMDC01\IPC$
>>> * f.o.o...b.a.r  ->  foo.bar
>>> * S.E.L.E.C.T. .[.U.s.e.r.I.d.]. .F.R.O.M. .[.U.s.e.r.P.r.o.f.i.l.e.].
>>>  -> SELECT [UserId] FROM [UserProfile]
>>>
>>> The shortest string to look for imo should be six characters. Shorter
>>> than that matches too much random garbage:
>>> GREP_OPTIONS=--color=auto ra -nr argus.log -s suser:120 duser:120 - |
grep "[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_
$\\]\.[a-zA-Z0-9_ $\\]\."
>>>
>>>
>>> That way I could do a ra/radump search for 10.2.3.4, and skim through
the data to see if any details help identify the machine (or the user behind
it).
>>>
>>> By stripping off all the binary junk and only keeping human readable
strings I can see stuff like the User Agent, document names, mail addresses,
irc chats, dropbox-connections, logins to various systems, etc. (I can even
grep for stuff if I want to)
>>>
>>> /Elof
>>>
>>>
>>> On Tue, 2 Jul 2013, Carter Bullard wrote:
>>>
>>>> One other thing.  What do we want to do with this ?  Grep for a name?
>>>> We grep on the printer's output buffer, we don't currently grep on
radump()s ouput buffer, so putting the Netbios decode only in radump() will
get us only so far.
>>>>
>>>> Carter
>>>>
>>>> On Jul 2, 2013, at 8:36 AM, Carter Bullard <carter at qosient.com> wrote:
>>>>
>>>>> Hey Elof2,
>>>>> I don't have any problems making the change, just need to know when to
do it.
>>>>> Applying a strange decoding to non-Netbios traffic isn't going to do
much positive.
>>>>>
>>>>> I think we should define a printer, call it "extended", which is where
we implement
>>>>> any of these protocol specific decoding capabilities?
>>>>>
>>>>> OR
>>>>>
>>>>> we just do it in radump(), and leave ra() alone?
>>>>>
>>>>> Carter
>>>>>
>>>>> On Jul 2, 2013, at 8:24 AM, elof2 at sentor.se wrote:
>>>>>
>>>>>>
>>>>>> Hi Carter!
>>>>>>
>>>>>> I see in the manual for radump that it is tcpdump-like.
>>>>>> Would it be lots of work to make it more tshark-like instead?
>>>>>>
>>>>>> tcpdump is not parsing Microsoft networking very well (ports 135,
137-139, 445). Tshark on the other hand usually manages to show what I'm
interested in, i.e. the machine name, domain, login name, etc.
>>>>>>
>>>>>>
>>>>>> It is mainly the Microsoft protocols I need decoded, but naturally
other common protocols that can reveal the identity behind an IP address
would be interesting.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> In my last email I was asking for a function to decode the NetBIOS
half-ASCII.
>>>>>> It would also be nice if data like this:
>>>>>> ......H.&.\.\.E.U.R.S.T.H.L.M.D.C.0.1.\.I.P.C.$.....
>>>>>> was decoded into strings:
>>>>>> ......H.&.\\EURSTHLMDC01\IPC$.....
>>>>>>
>>>>>> /Elof
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radecode
Type: application/octet-stream
Size: 5802 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130702/6f85c3c9/attachment.obj>


More information about the argus mailing list