radump more tshark-like?
Carter Bullard
carter at qosient.com
Tue Jul 2 20:05:23 EDT 2013
Hey Dave,
I've added radecode to the client distribution as ./examples/radecode/radecode.pl.
There is a Makefile.in, that will convert the file to ./bin/radecode, and install it when
one types, "make install".
We'll need a manpage to make it official, so when I upload argus-clients-3.0.7.11
later (maybe tomorrow), grab it and take a look.
Modified it just a simple bit, so that when you do something like this:
./configure --with-perl=/opt/bin/perl
The top of the script will get the right perl.
There is also a README file in the directory, to put development notes, etc...
Now we don't look for the script's dependencies, like tshark() or text2pcap in the
./configure, so if we need to do that, holler, and I can make those additions.
Thanks !!!!!
Carter
On Jul 2, 2013, at 7:06 PM, "David Edelman" <dedelman at iname.com> wrote:
> I actually hit the same problem and came up with a perl script called
> radecode which uses tshark, text2pcap, and ra to do a pretty useful packet
> decode. It is very vaguely based on the style of rahosts but it shows what
> you can do if you want to roll your own client.
>
> Carter, feel free to include and distribute it if you wish. Everyone else is
> free to use and improve it.
>
> --Dave
>
>
>
> radecode -r * -N o3 - udp and host 10.1.1.101 and host 10.1.1.8
> Input from: Standard input
> Output to: /tmp/file11cHA8
> Generate dummy Ethernet header: Protocol: 0x800
> Generate dummy IP header: Protocol: 17
> Generate dummy UDP header: Source port: 63293. Dest port: 161
> Wrote packet of 204 bytes at 0
> Wrote packet of 204 bytes at 204
> Wrote packet of 255 bytes at 408
> Read 3 potential packets, wrote 3 packets
> Running as user "root" and group "root". This could be dangerous.
> Frame 1: 246 bytes on wire (1968 bits), 246 bytes captured (1968 bits)
> WTAP_ENCAP: 1
> Arrival Time: Jul 2, 2013 22:54:39.000000000 UTC
> [Time shift for this packet: 0.000000000 seconds]
> Epoch Time: 1372805679.000000000 seconds
> [Time delta from previous captured frame: 0.000000000 seconds]
> [Time delta from previous displayed frame: 0.000000000 seconds]
> [Time since reference or first frame: 0.000000000 seconds]
> Frame Number: 1
> Frame Length: 246 bytes (1968 bits)
> Capture Length: 246 bytes (1968 bits)
> [Frame is marked: False]
> [Frame is ignored: False]
> [Protocols in frame: eth:ip:udp:snmp:data]
> Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
> 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
> Destination: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
> Address: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
> .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
> Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
> Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
> .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
> Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.8
> (10.1.1.8)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
> Total Length: 232
> Identification: 0x1234 (4660)
> Flags: 0x00
> 0... .... = Reserved bit: Not set
> .0.. .... = Don't fragment: Not set
> ..0. .... = More fragments: Not set
> Fragment offset: 0
> Time to live: 64
> Protocol: UDP (17)
> Header checksum: 0x91cb [correct]
> [Good: True]
> [Bad: False]
> Source: 10.1.1.101 (10.1.1.101)
> Destination: 10.1.1.8 (10.1.1.8)
> User Datagram Protocol, Src Port: 63293 (63293), Dst Port: snmp (161)
> Source port: 63293 (63293)
> Destination port: snmp (161)
> Length: 212
> Checksum: 0xa214 [validation disabled]
> [Good Checksum: False]
> [Bad Checksum: False]
> Simple Network Management Protocol
> version: version-1 (0)
> community: public
> data: get-request (0)
> get-request
> request-id: 1588204485
> error-status: noError (0)
> error-index: 0
> variable-bindings: 1 item
> 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0: Value (Null)
> Object Name: 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0
> (iso.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0)
> Value (Null)
> Data (153 bytes)
>
> 0000 30 31 02 01 00 04 06 70 75 62 6c 69 63 a0 24 02 01.....public.$.
> 0010 04 5e aa 13 c5 02 01 00 02 01 00 30 16 30 14 06 .^.........0.0..
> 0020 10 2b 06 01 04 01 0b 02 03 09 04 02 01 01 03 03 .+..............
> 0030 00 05 00 30 31 02 01 00 04 06 70 75 62 6c 69 63 ...01.....public
> 0040 a0 24 02 04 5e aa 13 c5 02 01 00 02 01 00 30 16 .$..^.........0.
> 0050 30 14 06 10 2b 06 01 04 01 0b 02 03 09 04 02 01 0...+...........
> 0060 01 03 03 00 05 00 30 31 02 01 00 04 06 70 75 62 ......01.....pub
> 0070 6c 69 63 a0 24 02 04 5e aa 13 c5 02 01 00 02 01 lic.$..^........
> 0080 00 30 16 30 14 06 10 2b 06 01 04 01 0b 02 03 09 .0.0...+........
> 0090 04 02 01 01 03 03 00 05 00 .........
> Data: 303102010004067075626c6963a02402045eaa13c5020100...
> [Length: 153]
>
> Frame 2: 246 bytes on wire (1968 bits), 246 bytes captured (1968 bits)
> WTAP_ENCAP: 1
> Arrival Time: Jul 2, 2013 22:54:39.000001000 UTC
> [Time shift for this packet: 0.000000000 seconds]
> Epoch Time: 1372805679.000001000 seconds
> [Time delta from previous captured frame: 0.000001000 seconds]
> [Time delta from previous displayed frame: 0.000001000 seconds]
> [Time since reference or first frame: 0.000001000 seconds]
> Frame Number: 2
> Frame Length: 246 bytes (1968 bits)
> Capture Length: 246 bytes (1968 bits)
> [Frame is marked: False]
> [Frame is ignored: False]
> [Protocols in frame: eth:ip:udp:snmp:data]
> Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
> 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
> Destination: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
> Address: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
> .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
> Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
> Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
> .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
> Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.8
> (10.1.1.8)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
> Total Length: 232
> Identification: 0x1234 (4660)
> Flags: 0x00
> 0... .... = Reserved bit: Not set
> .0.. .... = Don't fragment: Not set
> ..0. .... = More fragments: Not set
> Fragment offset: 0
> Time to live: 64
> Protocol: UDP (17)
> Header checksum: 0x91cb [correct]
> [Good: True]
> [Bad: False]
> Source: 10.1.1.101 (10.1.1.101)
> Destination: 10.1.1.8 (10.1.1.8)
> User Datagram Protocol, Src Port: 63293 (63293), Dst Port: snmp (161)
> Source port: 63293 (63293)
> Destination port: snmp (161)
> Length: 212
> Checksum: 0xa012 [validation disabled]
> [Good Checksum: False]
> [Bad Checksum: False]
> Simple Network Management Protocol
> version: version-1 (0)
> community: public
> data: get-request (0)
> get-request
> request-id: 1588204486
> error-status: noError (0)
> error-index: 0
> variable-bindings: 1 item
> 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0: Value (Null)
> Object Name: 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0
> (iso.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0)
> Value (Null)
> Data (153 bytes)
>
> 0000 30 31 02 01 00 04 06 70 75 62 6c 69 63 a0 24 02 01.....public.$.
> 0010 04 5e aa 13 c6 02 01 00 02 01 00 30 16 30 14 06 .^.........0.0..
> 0020 10 2b 06 01 04 01 0b 02 03 09 04 02 01 01 03 03 .+..............
> 0030 00 05 00 30 31 02 01 00 04 06 70 75 62 6c 69 63 ...01.....public
> 0040 a0 24 02 04 5e aa 13 c6 02 01 00 02 01 00 30 16 .$..^.........0.
> 0050 30 14 06 10 2b 06 01 04 01 0b 02 03 09 04 02 01 0...+...........
> 0060 01 03 03 00 05 00 30 31 02 01 00 04 06 70 75 62 ......01.....pub
> 0070 6c 69 63 a0 24 02 04 5e aa 13 c6 02 01 00 02 01 lic.$..^........
> 0080 00 30 16 30 14 06 10 2b 06 01 04 01 0b 02 03 09 .0.0...+........
> 0090 04 02 01 01 03 03 00 05 00 .........
> Data: 303102010004067075626c6963a02402045eaa13c6020100...
> [Length: 153]
>
> Frame 3: 297 bytes on wire (2376 bits), 297 bytes captured (2376 bits)
> WTAP_ENCAP: 1
> Arrival Time: Jul 2, 2013 22:54:39.000002000 UTC
> [Time shift for this packet: 0.000000000 seconds]
> Epoch Time: 1372805679.000002000 seconds
> [Time delta from previous captured frame: 0.000001000 seconds]
> [Time delta from previous displayed frame: 0.000001000 seconds]
> [Time since reference or first frame: 0.000002000 seconds]
> Frame Number: 3
> Frame Length: 297 bytes (2376 bits)
> Capture Length: 297 bytes (2376 bits)
> [Frame is marked: False]
> [Frame is ignored: False]
> [Protocols in frame: eth:ip:udp:snmp:data]
> Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
> 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
> Destination: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
> Address: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
> .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
> Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
> Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
> .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
> Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.8
> (10.1.1.8)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
> Total Length: 283
> Identification: 0x1234 (4660)
> Flags: 0x00
> 0... .... = Reserved bit: Not set
> .0.. .... = Don't fragment: Not set
> ..0. .... = More fragments: Not set
> Fragment offset: 0
> Time to live: 64
> Protocol: UDP (17)
> Header checksum: 0x9198 [correct]
> [Good: True]
> [Bad: False]
> Source: 10.1.1.101 (10.1.1.101)
> Destination: 10.1.1.8 (10.1.1.8)
> User Datagram Protocol, Src Port: 63293 (63293), Dst Port: snmp (161)
> Source port: 63293 (63293)
> Destination port: snmp (161)
> Length: 263
> Checksum: 0x2877 [validation disabled]
> [Good Checksum: False]
> [Bad Checksum: False]
> Simple Network Management Protocol
> version: version-1 (0)
> community: public
> data: get-request (0)
> get-request
> request-id: 1588204487
> error-status: noError (0)
> error-index: 0
> variable-bindings: 1 item
> 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0: Value (Null)
> Object Name: 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0
> (iso.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0)
> Value (Null)
> Data (204 bytes)
>
> 0000 30 31 02 01 00 04 06 70 75 62 6c 69 63 a0 24 02 01.....public.$.
> 0010 04 5e aa 13 c7 02 01 00 02 01 00 30 16 30 14 06 .^.........0.0..
> 0020 10 2b 06 01 04 01 0b 02 03 09 04 02 01 01 03 03 .+..............
> 0030 00 05 00 30 31 02 01 00 04 06 70 75 62 6c 69 63 ...01.....public
> 0040 a0 24 02 04 5e aa 13 c7 02 01 00 02 01 00 30 16 .$..^.........0.
> 0050 30 14 06 10 2b 06 01 04 01 0b 02 03 09 04 02 01 0...+...........
> 0060 01 03 03 00 05 00 30 31 02 01 00 04 06 70 75 62 ......01.....pub
> 0070 6c 69 63 a0 24 02 04 5e aa 13 c7 02 01 00 02 01 lic.$..^........
> 0080 00 30 16 30 14 06 10 2b 06 01 04 01 0b 02 03 09 .0.0...+........
> 0090 04 02 01 01 03 03 00 05 00 30 31 02 01 00 04 06 .........01.....
> 00a0 70 75 62 6c 69 63 a0 24 02 04 5e aa 13 c7 02 01 public.$..^.....
> 00b0 00 02 01 00 30 16 30 14 06 10 2b 06 01 04 01 0b ....0.0...+.....
> 00c0 02 03 09 04 02 01 01 03 03 00 05 00 ............
> Data: 303102010004067075626c6963a02402045eaa13c7020100...
> [Length: 204]
>
>
>
> -----Original Message-----
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
> Behalf Of Matt Brown
> Sent: Tuesday, July 02, 2013 3:58 PM
> To: Carter Bullard
> Cc: Argus Development
> Subject: Re: [ARGUS] radump more tshark-like?
>
> Had to remove the prepended '0x' with sed, and still seeing some
> errors. Problems are outside of this list though.
>
>
> Thanks,
>
> Matt
>
>
>
> On Jul 2, 2013, at 3:28 PM, Carter Bullard <carter at qosient.com> wrote:
>
>> we have that. the hex printer works well.
>>
>> ra -S argus.source -M printer=hex -s +suser:64 +duser:64
>>
>> Carter
>>
>> On Jul 2, 2013, at 11:27 AM, Matt Brown <matthewbrown at gmail.com> wrote:
>>
>>> Sorry if this is outside this thread...
>>>
>>> It would be great to create a hex output printer that conforms to
>>> something readable by wireshark's text2pcap.
>>>
>>> 000000 0a 0b 0c 0d
>>> ...
>>>
>>> http://www.wireshark.org/docs/man-pages/text2pcap.html
>>>
>>>
>>> Carter, what do you think?
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>> On Jul 2, 2013, at 10:48 AM, "elof2 at sentor.se" <elof2 at sentor.se> wrote:
>>>
>>>>
>>>> Since ra and radump are pretty simillar, and since people usually use ra
> prior to other ra-tools when browsing through data, I'd say both of them
> should have the new printer.
>>>>
>>>> What I want to do with this new functionality is to try to find the
> identity of an IP by looking at the argus data.
>>>>
>>>> Lets say that I just now got an alert from last week, telling me that IP
> 10.2.3.4 show traces of a malicious bot infection.
>>>> Lets say there are hundreds of different subnets, and no documentation
> of the network. The only thing I know is that 10.2.3.x is some office in
> India.
>>>> I then need to try to figure out as much as possible about 10.2.3.4 in
> order to understand which machine is infected ...to be able to tell the
> technician over which machine to re-install.
>>>>
>>>>
>>>> The following three extended-printers would be nice:
>>>>
>>>> strip-all-binary)
>>>> For all data:
>>>> When printing the user data, only echo printable characters. I.e.
>>>> supress printing all the placeholder dots for binary data.
>>>> decode-netbios-names)
>>>> For UDP data on ports 137 and 138: (or on all data?)
>>>> find half-ASCII strings and convert them to cleartext
>>>> (http://support.microsoft.com/kb/194203)
>>>> decode-barred-smb)
>>>> For all data (or possibly only TCP data on port 445):
>>>> find strings (paths, filenames, UNC paths, etc) that are barred with
>>>> dots and remove the dots, leaving only the clean string.
>>>> * \.\.E.U.R.S.T.H.L.M.D.C.0.1.\.I.P.C.$ -> \\EURSTHLMDC01\IPC$
>>>> * f.o.o...b.a.r -> foo.bar
>>>> * S.E.L.E.C.T. .[.U.s.e.r.I.d.]. .F.R.O.M. .[.U.s.e.r.P.r.o.f.i.l.e.].
>>>> -> SELECT [UserId] FROM [UserProfile]
>>>>
>>>> The shortest string to look for imo should be six characters. Shorter
>>>> than that matches too much random garbage:
>>>> GREP_OPTIONS=--color=auto ra -nr argus.log -s suser:120 duser:120 - |
> grep "[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_
> $\\]\.[a-zA-Z0-9_ $\\]\."
>>>>
>>>>
>>>> That way I could do a ra/radump search for 10.2.3.4, and skim through
> the data to see if any details help identify the machine (or the user behind
> it).
>>>>
>>>> By stripping off all the binary junk and only keeping human readable
> strings I can see stuff like the User Agent, document names, mail addresses,
> irc chats, dropbox-connections, logins to various systems, etc. (I can even
> grep for stuff if I want to)
>>>>
>>>> /Elof
>>>>
>>>>
>>>> On Tue, 2 Jul 2013, Carter Bullard wrote:
>>>>
>>>>> One other thing. What do we want to do with this ? Grep for a name?
>>>>> We grep on the printer's output buffer, we don't currently grep on
> radump()s ouput buffer, so putting the Netbios decode only in radump() will
> get us only so far.
>>>>>
>>>>> Carter
>>>>>
>>>>> On Jul 2, 2013, at 8:36 AM, Carter Bullard <carter at qosient.com> wrote:
>>>>>
>>>>>> Hey Elof2,
>>>>>> I don't have any problems making the change, just need to know when to
> do it.
>>>>>> Applying a strange decoding to non-Netbios traffic isn't going to do
> much positive.
>>>>>>
>>>>>> I think we should define a printer, call it "extended", which is where
> we implement
>>>>>> any of these protocol specific decoding capabilities?
>>>>>>
>>>>>> OR
>>>>>>
>>>>>> we just do it in radump(), and leave ra() alone?
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>> On Jul 2, 2013, at 8:24 AM, elof2 at sentor.se wrote:
>>>>>>
>>>>>>>
>>>>>>> Hi Carter!
>>>>>>>
>>>>>>> I see in the manual for radump that it is tcpdump-like.
>>>>>>> Would it be lots of work to make it more tshark-like instead?
>>>>>>>
>>>>>>> tcpdump is not parsing Microsoft networking very well (ports 135,
> 137-139, 445). Tshark on the other hand usually manages to show what I'm
> interested in, i.e. the machine name, domain, login name, etc.
>>>>>>>
>>>>>>>
>>>>>>> It is mainly the Microsoft protocols I need decoded, but naturally
> other common protocols that can reveal the identity behind an IP address
> would be interesting.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> In my last email I was asking for a function to decode the NetBIOS
> half-ASCII.
>>>>>>> It would also be nice if data like this:
>>>>>>> ......H.&.\.\.E.U.R.S.T.H.L.M.D.C.0.1.\.I.P.C.$.....
>>>>>>> was decoded into strings:
>>>>>>> ......H.&.\\EURSTHLMDC01\IPC$.....
>>>>>>>
>>>>>>> /Elof
>>
> <radecode>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130702/410b73eb/attachment.bin>
More information about the argus
mailing list