radump more tshark-like?

Matt Brown matthewbrown at gmail.com
Wed Jul 3 12:16:42 EDT 2013


Dave,

Very cool!  Thanks for sharing this script.

I am having a problem when the SESAME doesn't contain tcp or udp (or
matches what appears to be the regex for hex).

I modified the script to print some more stuff:
http://etherpad.mozilla.org/RDSg72wbmy

And this is the output:
http://etherpad.mozilla.org/k8gXPyHZdR

Most notably is the system call to echo the $contents to $cmd, where $cmd==''


Any ideas?


Thanks,

Matt


On Jul 2, 2013, at 8:08 PM, David Edelman <dedelman at iname.com> wrote:

> This is what it does with NetBIOS:
>
> radecode -r * - -N o3  udp and port 137
> Input from: Standard input
> Output to: /tmp/filexnXS7o
> Generate dummy Ethernet header: Protocol: 0x800
> Generate dummy IP header: Protocol: 17
> Generate dummy UDP header: Source port: 137. Dest port: 137
> Wrote packet of 50 bytes at 0
> Wrote packet of 62 bytes at 50
> Wrote packet of 408 bytes at 112
> Read 3 potential packets, wrote 3 packets
> Running as user "root" and group "root". This could be dangerous.
> Frame 1: 92 bytes on wire (736 bits), 92 bytes captured (736 bits)
>    WTAP_ENCAP: 1
>    Arrival Time: Jul  3, 2013 00:04:57.000000000 UTC
>    [Time shift for this packet: 0.000000000 seconds]
>    Epoch Time: 1372809897.000000000 seconds
>    [Time delta from previous captured frame: 0.000000000 seconds]
>    [Time delta from previous displayed frame: 0.000000000 seconds]
>    [Time since reference or first frame: 0.000000000 seconds]
>    Frame Number: 1
>    Frame Length: 92 bytes (736 bits)
>    Capture Length: 92 bytes (736 bits)
>    [Frame is marked: False]
>    [Frame is ignored: False]
>    [Protocols in frame: eth:ip:udp:nbns]
> Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
> f8:e4:fb:19:b6:84 (f8:e4:fb:19:b6:84)
>    Destination: f8:e4:fb:19:b6:84 (f8:e4:fb:19:b6:84)
>        Address: f8:e4:fb:19:b6:84 (f8:e4:fb:19:b6:84)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.126
> (10.1.1.126)
>    Version: 4
>    Header length: 20 bytes
>    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
>        0000 00.. = Differentiated Services Codepoint: Default (0x00)
>        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
>    Total Length: 78
>    Identification: 0x1234 (4660)
>    Flags: 0x00
>        0... .... = Reserved bit: Not set
>        .0.. .... = Don't fragment: Not set
>        ..0. .... = More fragments: Not set
>    Fragment offset: 0
>    Time to live: 64
>    Protocol: UDP (17)
>    Header checksum: 0x9265 [correct]
>        [Good: True]
>        [Bad: False]
>    Source: 10.1.1.101 (10.1.1.101)
>    Destination: 10.1.1.126 (10.1.1.126)
> User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns
> (137)
>    Source port: netbios-ns (137)
>    Destination port: netbios-ns (137)
>    Length: 58
>    Checksum: 0x0b98 [validation disabled]
>        [Good Checksum: False]
>        [Bad Checksum: False]
> NetBIOS Name Service
>    Transaction ID: 0x594e
>    Flags: 0x0110 (Name query)
>        0... .... .... .... = Response: Message is a query
>        .000 0... .... .... = Opcode: Name query (0)
>        .... ..0. .... .... = Truncated: Message is not truncated
>        .... ...1 .... .... = Recursion desired: Do query recursively
>        .... .... ...1 .... = Broadcast: Broadcast packet
>    Questions: 1
>    Answer RRs: 0
>    Authority RRs: 0
>    Additional RRs: 0
>    Queries
>        WORKGROUP<1d>: type NB, class IN
>            Name: WORKGROUP<1d> (Local Master Browser)
>            Type: NB
>            Class: IN
>
> Frame 2: 104 bytes on wire (832 bits), 104 bytes captured (832 bits)
>    WTAP_ENCAP: 1
>    Arrival Time: Jul  3, 2013 00:04:57.000001000 UTC
>    [Time shift for this packet: 0.000000000 seconds]
>    Epoch Time: 1372809897.000001000 seconds
>    [Time delta from previous captured frame: 0.000001000 seconds]
>    [Time delta from previous displayed frame: 0.000001000 seconds]
>    [Time since reference or first frame: 0.000001000 seconds]
>    Frame Number: 2
>    Frame Length: 104 bytes (832 bits)
>    Capture Length: 104 bytes (832 bits)
>    [Frame is marked: False]
>    [Frame is ignored: False]
>    [Protocols in frame: eth:ip:udp:nbns]
> Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
> f8:e4:fb:19:b6:84 (f8:e4:fb:19:b6:84)
>    Destination: f8:e4:fb:19:b6:84 (f8:e4:fb:19:b6:84)
>        Address: f8:e4:fb:19:b6:84 (f8:e4:fb:19:b6:84)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.126
> (10.1.1.126)
>    Version: 4
>    Header length: 20 bytes
>    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
>        0000 00.. = Differentiated Services Codepoint: Default (0x00)
>        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
>    Total Length: 90
>    Identification: 0x1234 (4660)
>    Flags: 0x00
>        0... .... = Reserved bit: Not set
>        .0.. .... = Don't fragment: Not set
>        ..0. .... = More fragments: Not set
>    Fragment offset: 0
>    Time to live: 64
>    Protocol: UDP (17)
>    Header checksum: 0x9259 [correct]
>        [Good: True]
>        [Bad: False]
>    Source: 10.1.1.101 (10.1.1.101)
>    Destination: 10.1.1.126 (10.1.1.126)
> User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns
> (137)
>    Source port: netbios-ns (137)
>    Destination port: netbios-ns (137)
>    Length: 70
>    Checksum: 0x8872 [validation disabled]
>        [Good Checksum: False]
>        [Bad Checksum: False]
> NetBIOS Name Service
>    Transaction ID: 0x594e
>    Flags: 0x8500 (Name query response, No error)
>        1... .... .... .... = Response: Message is a response
>        .000 0... .... .... = Opcode: Name query (0)
>        .... .1.. .... .... = Authoritative: Server is an authority for
> domain
>        .... ..0. .... .... = Truncated: Message is not truncated
>        .... ...1 .... .... = Recursion desired: Do query recursively
>        .... .... 0... .... = Recursion available: Server can't do recursive
> queries
>        .... .... ...0 .... = Broadcast: Not a broadcast packet
>        .... .... .... 0000 = Reply code: No error (0)
>    Questions: 0
>    Answer RRs: 1
>    Authority RRs: 0
>    Additional RRs: 0
>    Answers
>        WORKGROUP<1d>: type NB, class IN
>            Name: WORKGROUP<1d> (Local Master Browser)
>            Type: NB
>            Class: IN
>            Time to live: 3 days, 11 hours, 20 minutes
>            Data length: 6
>            Flags: 0x6000 (H-node, unique)
>                0... .... .... .... = Unique name
>                .11. .... .... .... = H-node
>            Addr: 10.1.1.49
>
> Frame 3: 450 bytes on wire (3600 bits), 450 bytes captured (3600 bits)
>    WTAP_ENCAP: 1
>    Arrival Time: Jul  3, 2013 00:04:57.000002000 UTC
>    [Time shift for this packet: 0.000000000 seconds]
>    Epoch Time: 1372809897.000002000 seconds
>    [Time delta from previous captured frame: 0.000001000 seconds]
>    [Time delta from previous displayed frame: 0.000001000 seconds]
>    [Time since reference or first frame: 0.000002000 seconds]
>    Frame Number: 3
>    Frame Length: 450 bytes (3600 bits)
>    Capture Length: 450 bytes (3600 bits)
>    [Frame is marked: False]
>    [Frame is ignored: False]
>    [Protocols in frame: eth:ip:udp:nbns]
> Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
> f8:e4:fb:19:b6:84 (f8:e4:fb:19:b6:84)
>    Destination: f8:e4:fb:19:b6:84 (f8:e4:fb:19:b6:84)
>        Address: f8:e4:fb:19:b6:84 (f8:e4:fb:19:b6:84)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.126
> (10.1.1.126)
>    Version: 4
>    Header length: 20 bytes
>    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
>        0000 00.. = Differentiated Services Codepoint: Default (0x00)
>        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
>    Total Length: 436
>    Identification: 0x1234 (4660)
>    Flags: 0x00
>        0... .... = Reserved bit: Not set
>        .0.. .... = Don't fragment: Not set
>        ..0. .... = More fragments: Not set
>    Fragment offset: 0
>    Time to live: 64
>    Protocol: UDP (17)
>    Header checksum: 0x90ff [correct]
>        [Good: True]
>        [Bad: False]
>    Source: 10.1.1.101 (10.1.1.101)
>    Destination: 10.1.1.126 (10.1.1.126)
> User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns
> (137)
>    Source port: netbios-ns (137)
>    Destination port: netbios-ns (137)
>    Length: 416
>    Checksum: 0x3525 [validation disabled]
>        [Good Checksum: False]
>        [Bad Checksum: False]
> NetBIOS Name Service
>    Transaction ID: 0x594f
>    Flags: 0x2900 (Registration)
>        0... .... .... .... = Response: Message is a query
>        .010 1... .... .... = Opcode: Registration (5)
>        .... ..0. .... .... = Truncated: Message is not truncated
>        .... ...1 .... .... = Recursion desired: Do query recursively
>        .... .... ...0 .... = Broadcast: Not a broadcast packet
>    Questions: 1
>    Answer RRs: 0
>    Authority RRs: 0
>    Additional RRs: 1
>    Queries
>        <01><02>SMB_NSCHECK<ff>: type NB, class IN
>            Name: <01><02>SMB_NSCHECK<ff> (Unknown)
>            Type: NB
>            Class: IN
>    Additional records
>        <01><02>SMB_NSCHECK<ff>: type NB, class IN
>            Name: <01><02>SMB_NSCHECK<ff> (Unknown)
>            Type: NB
>            Class: IN
>            Time to live: 15 minutes
>            Data length: 6
>            Flags: 0xe000 (H-node, group)
>                1... .... .... .... = Group name
>                .11. .... .... .... = H-node
>            Addr: 10.1.1.101
>
>
>
>
> -----Original Message-----
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
> Behalf Of David Edelman
> Sent: Tuesday, July 02, 2013 7:06 PM
> To: 'Matt Brown'; 'Carter Bullard'
> Cc: 'Argus Development'
> Subject: Re: [ARGUS] radump more tshark-like?
>
> I actually hit the same problem and came up with a perl script called
> radecode which uses tshark, text2pcap, and ra to do a pretty useful packet
> decode. It is very vaguely based on the style of rahosts but it shows what
> you can do if you want to roll your own client.
>
> Carter, feel free to include and distribute it if you wish. Everyone else is
> free to use and improve it.
>
> --Dave
>
>
>
> radecode -r *  -N o3 -   udp and host 10.1.1.101 and host 10.1.1.8
> Input from: Standard input
> Output to: /tmp/file11cHA8
> Generate dummy Ethernet header: Protocol: 0x800
> Generate dummy IP header: Protocol: 17
> Generate dummy UDP header: Source port: 63293. Dest port: 161
> Wrote packet of 204 bytes at 0
> Wrote packet of 204 bytes at 204
> Wrote packet of 255 bytes at 408
> Read 3 potential packets, wrote 3 packets
> Running as user "root" and group "root". This could be dangerous.
> Frame 1: 246 bytes on wire (1968 bits), 246 bytes captured (1968 bits)
>    WTAP_ENCAP: 1
>    Arrival Time: Jul  2, 2013 22:54:39.000000000 UTC
>    [Time shift for this packet: 0.000000000 seconds]
>    Epoch Time: 1372805679.000000000 seconds
>    [Time delta from previous captured frame: 0.000000000 seconds]
>    [Time delta from previous displayed frame: 0.000000000 seconds]
>    [Time since reference or first frame: 0.000000000 seconds]
>    Frame Number: 1
>    Frame Length: 246 bytes (1968 bits)
>    Capture Length: 246 bytes (1968 bits)
>    [Frame is marked: False]
>    [Frame is ignored: False]
>    [Protocols in frame: eth:ip:udp:snmp:data]
> Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
> 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
>    Destination: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
>        Address: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.8
> (10.1.1.8)
>    Version: 4
>    Header length: 20 bytes
>    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
>        0000 00.. = Differentiated Services Codepoint: Default (0x00)
>        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
>    Total Length: 232
>    Identification: 0x1234 (4660)
>    Flags: 0x00
>        0... .... = Reserved bit: Not set
>        .0.. .... = Don't fragment: Not set
>        ..0. .... = More fragments: Not set
>    Fragment offset: 0
>    Time to live: 64
>    Protocol: UDP (17)
>    Header checksum: 0x91cb [correct]
>        [Good: True]
>        [Bad: False]
>    Source: 10.1.1.101 (10.1.1.101)
>    Destination: 10.1.1.8 (10.1.1.8)
> User Datagram Protocol, Src Port: 63293 (63293), Dst Port: snmp (161)
>    Source port: 63293 (63293)
>    Destination port: snmp (161)
>    Length: 212
>    Checksum: 0xa214 [validation disabled]
>        [Good Checksum: False]
>        [Bad Checksum: False]
> Simple Network Management Protocol
>    version: version-1 (0)
>    community: public
>    data: get-request (0)
>        get-request
>            request-id: 1588204485
>            error-status: noError (0)
>            error-index: 0
>            variable-bindings: 1 item
>                1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0: Value (Null)
>                    Object Name: 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0
> (iso.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0)
>                    Value (Null)
> Data (153 bytes)
>
> 0000  30 31 02 01 00 04 06 70 75 62 6c 69 63 a0 24 02   01.....public.$.
> 0010  04 5e aa 13 c5 02 01 00 02 01 00 30 16 30 14 06   .^.........0.0..
> 0020  10 2b 06 01 04 01 0b 02 03 09 04 02 01 01 03 03   .+..............
> 0030  00 05 00 30 31 02 01 00 04 06 70 75 62 6c 69 63   ...01.....public
> 0040  a0 24 02 04 5e aa 13 c5 02 01 00 02 01 00 30 16   .$..^.........0.
> 0050  30 14 06 10 2b 06 01 04 01 0b 02 03 09 04 02 01   0...+...........
> 0060  01 03 03 00 05 00 30 31 02 01 00 04 06 70 75 62   ......01.....pub
> 0070  6c 69 63 a0 24 02 04 5e aa 13 c5 02 01 00 02 01   lic.$..^........
> 0080  00 30 16 30 14 06 10 2b 06 01 04 01 0b 02 03 09   .0.0...+........
> 0090  04 02 01 01 03 03 00 05 00                        .........
>    Data: 303102010004067075626c6963a02402045eaa13c5020100...
>    [Length: 153]
>
> Frame 2: 246 bytes on wire (1968 bits), 246 bytes captured (1968 bits)
>    WTAP_ENCAP: 1
>    Arrival Time: Jul  2, 2013 22:54:39.000001000 UTC
>    [Time shift for this packet: 0.000000000 seconds]
>    Epoch Time: 1372805679.000001000 seconds
>    [Time delta from previous captured frame: 0.000001000 seconds]
>    [Time delta from previous displayed frame: 0.000001000 seconds]
>    [Time since reference or first frame: 0.000001000 seconds]
>    Frame Number: 2
>    Frame Length: 246 bytes (1968 bits)
>    Capture Length: 246 bytes (1968 bits)
>    [Frame is marked: False]
>    [Frame is ignored: False]
>    [Protocols in frame: eth:ip:udp:snmp:data]
> Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
> 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
>    Destination: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
>        Address: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.8
> (10.1.1.8)
>    Version: 4
>    Header length: 20 bytes
>    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
>        0000 00.. = Differentiated Services Codepoint: Default (0x00)
>        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
>    Total Length: 232
>    Identification: 0x1234 (4660)
>    Flags: 0x00
>        0... .... = Reserved bit: Not set
>        .0.. .... = Don't fragment: Not set
>        ..0. .... = More fragments: Not set
>    Fragment offset: 0
>    Time to live: 64
>    Protocol: UDP (17)
>    Header checksum: 0x91cb [correct]
>        [Good: True]
>        [Bad: False]
>    Source: 10.1.1.101 (10.1.1.101)
>    Destination: 10.1.1.8 (10.1.1.8)
> User Datagram Protocol, Src Port: 63293 (63293), Dst Port: snmp (161)
>    Source port: 63293 (63293)
>    Destination port: snmp (161)
>    Length: 212
>    Checksum: 0xa012 [validation disabled]
>        [Good Checksum: False]
>        [Bad Checksum: False]
> Simple Network Management Protocol
>    version: version-1 (0)
>    community: public
>    data: get-request (0)
>        get-request
>            request-id: 1588204486
>            error-status: noError (0)
>            error-index: 0
>            variable-bindings: 1 item
>                1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0: Value (Null)
>                    Object Name: 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0
> (iso.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0)
>                    Value (Null)
> Data (153 bytes)
>
> 0000  30 31 02 01 00 04 06 70 75 62 6c 69 63 a0 24 02   01.....public.$.
> 0010  04 5e aa 13 c6 02 01 00 02 01 00 30 16 30 14 06   .^.........0.0..
> 0020  10 2b 06 01 04 01 0b 02 03 09 04 02 01 01 03 03   .+..............
> 0030  00 05 00 30 31 02 01 00 04 06 70 75 62 6c 69 63   ...01.....public
> 0040  a0 24 02 04 5e aa 13 c6 02 01 00 02 01 00 30 16   .$..^.........0.
> 0050  30 14 06 10 2b 06 01 04 01 0b 02 03 09 04 02 01   0...+...........
> 0060  01 03 03 00 05 00 30 31 02 01 00 04 06 70 75 62   ......01.....pub
> 0070  6c 69 63 a0 24 02 04 5e aa 13 c6 02 01 00 02 01   lic.$..^........
> 0080  00 30 16 30 14 06 10 2b 06 01 04 01 0b 02 03 09   .0.0...+........
> 0090  04 02 01 01 03 03 00 05 00                        .........
>    Data: 303102010004067075626c6963a02402045eaa13c6020100...
>    [Length: 153]
>
> Frame 3: 297 bytes on wire (2376 bits), 297 bytes captured (2376 bits)
>    WTAP_ENCAP: 1
>    Arrival Time: Jul  2, 2013 22:54:39.000002000 UTC
>    [Time shift for this packet: 0.000000000 seconds]
>    Epoch Time: 1372805679.000002000 seconds
>    [Time delta from previous captured frame: 0.000001000 seconds]
>    [Time delta from previous displayed frame: 0.000001000 seconds]
>    [Time since reference or first frame: 0.000002000 seconds]
>    Frame Number: 3
>    Frame Length: 297 bytes (2376 bits)
>    Capture Length: 297 bytes (2376 bits)
>    [Frame is marked: False]
>    [Frame is ignored: False]
>    [Protocols in frame: eth:ip:udp:snmp:data]
> Ethernet II, Src: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5), Dst:
> 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
>    Destination: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
>        Address: 78:ac:c0:61:3e:d4 (78:ac:c0:61:3e:d4)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Source: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        Address: 3c:07:54:5b:be:b5 (3c:07:54:5b:be:b5)
>        .... ..1. .... .... .... .... = LG bit: Locally administered address
> (this is NOT the factory default)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>    Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.1.101 (10.1.1.101), Dst: 10.1.1.8
> (10.1.1.8)
>    Version: 4
>    Header length: 20 bytes
>    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
>        0000 00.. = Differentiated Services Codepoint: Default (0x00)
>        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
>    Total Length: 283
>    Identification: 0x1234 (4660)
>    Flags: 0x00
>        0... .... = Reserved bit: Not set
>        .0.. .... = Don't fragment: Not set
>        ..0. .... = More fragments: Not set
>    Fragment offset: 0
>    Time to live: 64
>    Protocol: UDP (17)
>    Header checksum: 0x9198 [correct]
>        [Good: True]
>        [Bad: False]
>    Source: 10.1.1.101 (10.1.1.101)
>    Destination: 10.1.1.8 (10.1.1.8)
> User Datagram Protocol, Src Port: 63293 (63293), Dst Port: snmp (161)
>    Source port: 63293 (63293)
>    Destination port: snmp (161)
>    Length: 263
>    Checksum: 0x2877 [validation disabled]
>        [Good Checksum: False]
>        [Bad Checksum: False]
> Simple Network Management Protocol
>    version: version-1 (0)
>    community: public
>    data: get-request (0)
>        get-request
>            request-id: 1588204487
>            error-status: noError (0)
>            error-index: 0
>            variable-bindings: 1 item
>                1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0: Value (Null)
>                    Object Name: 1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0
> (iso.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0)
>                    Value (Null)
> Data (204 bytes)
>
> 0000  30 31 02 01 00 04 06 70 75 62 6c 69 63 a0 24 02   01.....public.$.
> 0010  04 5e aa 13 c7 02 01 00 02 01 00 30 16 30 14 06   .^.........0.0..
> 0020  10 2b 06 01 04 01 0b 02 03 09 04 02 01 01 03 03   .+..............
> 0030  00 05 00 30 31 02 01 00 04 06 70 75 62 6c 69 63   ...01.....public
> 0040  a0 24 02 04 5e aa 13 c7 02 01 00 02 01 00 30 16   .$..^.........0.
> 0050  30 14 06 10 2b 06 01 04 01 0b 02 03 09 04 02 01   0...+...........
> 0060  01 03 03 00 05 00 30 31 02 01 00 04 06 70 75 62   ......01.....pub
> 0070  6c 69 63 a0 24 02 04 5e aa 13 c7 02 01 00 02 01   lic.$..^........
> 0080  00 30 16 30 14 06 10 2b 06 01 04 01 0b 02 03 09   .0.0...+........
> 0090  04 02 01 01 03 03 00 05 00 30 31 02 01 00 04 06   .........01.....
> 00a0  70 75 62 6c 69 63 a0 24 02 04 5e aa 13 c7 02 01   public.$..^.....
> 00b0  00 02 01 00 30 16 30 14 06 10 2b 06 01 04 01 0b   ....0.0...+.....
> 00c0  02 03 09 04 02 01 01 03 03 00 05 00               ............
>    Data: 303102010004067075626c6963a02402045eaa13c7020100...
>    [Length: 204]
>
>
>
> -----Original Message-----
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
> Behalf Of Matt Brown
> Sent: Tuesday, July 02, 2013 3:58 PM
> To: Carter Bullard
> Cc: Argus Development
> Subject: Re: [ARGUS] radump more tshark-like?
>
> Had to remove the prepended '0x' with sed, and still seeing some
> errors.  Problems are outside of this list though.
>
>
> Thanks,
>
> Matt
>
>
>
> On Jul 2, 2013, at 3:28 PM, Carter Bullard <carter at qosient.com> wrote:
>
>> we have that.  the hex printer works well.
>>
>>  ra -S argus.source -M printer=hex -s +suser:64 +duser:64
>>
>> Carter
>>
>> On Jul 2, 2013, at 11:27 AM, Matt Brown <matthewbrown at gmail.com> wrote:
>>
>>> Sorry if this is outside this thread...
>>>
>>> It would be great to create a hex output printer that conforms to
>>> something readable by wireshark's text2pcap.
>>>
>>> 000000 0a 0b 0c 0d
>>> ...
>>>
>>> http://www.wireshark.org/docs/man-pages/text2pcap.html
>>>
>>>
>>> Carter, what do you think?
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>> On Jul 2, 2013, at 10:48 AM, "elof2 at sentor.se" <elof2 at sentor.se> wrote:
>>>
>>>>
>>>> Since ra and radump are pretty simillar, and since people usually use ra
> prior to other ra-tools when browsing through data, I'd say both of them
> should have the new printer.
>>>>
>>>> What I want to do with this new functionality is to try to find the
> identity of an IP by looking at the argus data.
>>>>
>>>> Lets say that I just now got an alert from last week, telling me that IP
> 10.2.3.4 show traces of a malicious bot infection.
>>>> Lets say there are hundreds of different subnets, and no documentation
> of the network. The only thing I know is that 10.2.3.x is some office in
> India.
>>>> I then need to try to figure out as much as possible about 10.2.3.4 in
> order to understand which machine is infected ...to be able to tell the
> technician over which machine to re-install.
>>>>
>>>>
>>>> The following three extended-printers would be nice:
>>>>
>>>> strip-all-binary)
>>>> For all data:
>>>> When printing the user data, only echo printable characters. I.e.
>>>> supress printing all the placeholder dots for binary data.
>>>> decode-netbios-names)
>>>> For UDP data on ports 137 and 138: (or on all data?)
>>>> find half-ASCII strings and convert them to cleartext
>>>> (http://support.microsoft.com/kb/194203)
>>>> decode-barred-smb)
>>>> For all data (or possibly only TCP data on port 445):
>>>> find strings (paths, filenames, UNC paths, etc) that are barred with
>>>> dots and remove the dots, leaving only the clean string.
>>>> * \.\.E.U.R.S.T.H.L.M.D.C.0.1.\.I.P.C.$   ->   \\EURSTHLMDC01\IPC$
>>>> * f.o.o...b.a.r  ->  foo.bar
>>>> * S.E.L.E.C.T. .[.U.s.e.r.I.d.]. .F.R.O.M. .[.U.s.e.r.P.r.o.f.i.l.e.].
>>>> -> SELECT [UserId] FROM [UserProfile]
>>>>
>>>> The shortest string to look for imo should be six characters. Shorter
>>>> than that matches too much random garbage:
>>>> GREP_OPTIONS=--color=auto ra -nr argus.log -s suser:120 duser:120 - |
> grep "[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_
> $\\]\.[a-zA-Z0-9_ $\\]\."
>>>>
>>>>
>>>> That way I could do a ra/radump search for 10.2.3.4, and skim through
> the data to see if any details help identify the machine (or the user behind
> it).
>>>>
>>>> By stripping off all the binary junk and only keeping human readable
> strings I can see stuff like the User Agent, document names, mail addresses,
> irc chats, dropbox-connections, logins to various systems, etc. (I can even
> grep for stuff if I want to)
>>>>
>>>> /Elof
>>>>
>>>>
>>>> On Tue, 2 Jul 2013, Carter Bullard wrote:
>>>>
>>>>> One other thing.  What do we want to do with this ?  Grep for a name?
>>>>> We grep on the printer's output buffer, we don't currently grep on
> radump()s ouput buffer, so putting the Netbios decode only in radump() will
> get us only so far.
>>>>>
>>>>> Carter
>>>>>
>>>>> On Jul 2, 2013, at 8:36 AM, Carter Bullard <carter at qosient.com> wrote:
>>>>>
>>>>>> Hey Elof2,
>>>>>> I don't have any problems making the change, just need to know when to
> do it.
>>>>>> Applying a strange decoding to non-Netbios traffic isn't going to do
> much positive.
>>>>>>
>>>>>> I think we should define a printer, call it "extended", which is where
> we implement
>>>>>> any of these protocol specific decoding capabilities?
>>>>>>
>>>>>> OR
>>>>>>
>>>>>> we just do it in radump(), and leave ra() alone?
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>> On Jul 2, 2013, at 8:24 AM, elof2 at sentor.se wrote:
>>>>>>
>>>>>>>
>>>>>>> Hi Carter!
>>>>>>>
>>>>>>> I see in the manual for radump that it is tcpdump-like.
>>>>>>> Would it be lots of work to make it more tshark-like instead?
>>>>>>>
>>>>>>> tcpdump is not parsing Microsoft networking very well (ports 135,
> 137-139, 445). Tshark on the other hand usually manages to show what I'm
> interested in, i.e. the machine name, domain, login name, etc.
>>>>>>>
>>>>>>>
>>>>>>> It is mainly the Microsoft protocols I need decoded, but naturally
> other common protocols that can reveal the identity behind an IP address
> would be interesting.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> In my last email I was asking for a function to decode the NetBIOS
> half-ASCII.
>>>>>>> It would also be nice if data like this:
>>>>>>> ......H.&.\.\.E.U.R.S.T.H.L.M.D.C.0.1.\.I.P.C.$.....
>>>>>>> was decoded into strings:
>>>>>>> ......H.&.\\EURSTHLMDC01\IPC$.....
>>>>>>>
>>>>>>> /Elof
>



More information about the argus mailing list