radump more tshark-like?

David Edelman dedelman at iname.com
Thu Jul 4 16:45:27 EDT 2013


If you have both tshark and text2pcap from the wireshark distribution in
place and in the path and as long as radecode is set up to be executable and
the shebang line at the top of the script points to your copy of perl then
this should work for you:

$ radecode.pl -r fastflush.argus -N o3 - tcp and host 192.168.100.23

The double -- before the -N o3  (asking for the first three output lines)
might have been a problem and the missing - followed by white space in front
of the filter expression could also have been a problem.

-----Original Message-----
From: Matt Brown [mailto:matthewbrown at gmail.com] 
Sent: Thursday, July 04, 2013 11:49 AM
To: David Edelman
Cc: Carter Bullard; Argus Development
Subject: Re: [ARGUS] radump more tshark-like?

Thanks Dave.

I was targeting a tcp flow with:

perl radecode.pl -r fastflush.argus - -N o3 tcp and host 192.168.100.23


I only spent maybe 45 or so minutes messing with it the other day.  So
I can't be of much help yet.  Any input you have is appreciated.


Enjoy the holiday,

Matt



On Jul 3, 2013, at 7:30 PM, David Edelman <dedelman at iname.com> wrote:

> Matt,
> I'm glad that you like it and hope that it's useful. The underlying
text2pcap utility knows about TCP and UDP.
>
> The only two alternatives are to build the pcap file with something else
or update text2pcap. I'll look into which makes more sense.
>
> --Dave
>
> Dave Edelman
>
>
> On Jul 3, 2013, at 12:16, Matt Brown <matthewbrown at gmail.com> wrote:
>
>> Dave,
>>
>> Very cool!  Thanks for sharing this script.
>>
>> I am having a problem when the SESAME doesn't contain tcp or udp (or
>> matches what appears to be the regex for hex).
>>
>> I modified the script to print some more stuff:
>> http://etherpad.mozilla.org/RDSg72wbmy
>>
>> And this is the output:
>> http://etherpad.mozilla.org/k8gXPyHZdR
>>
>> Most notably is the system call to echo the $contents to $cmd, where
$cmd==''
>>
>>
>> Any ideas?
>>
>>
>> Thanks,
>>
>> Matt
>>
>>
>> On Jul 2, 2013, at 8:08 PM, David Edelman <dedelman at iname.com> wrote:
>>
>>> This is what it does with NetBIOS:
>>>
>>> radecode -r * - -N o3  udp and port 137
>>> Input from: Standard input
>>> Output to: /tmp/filexnXS7o
>>> Generate dummy Ethernet header: Protocol: 0x800
>>> Generate dummy IP header: Protocol: 17
>>> Generate dummy UDP header: Source port: 137. Dest port: 137
>>> Wrote packet of 50 bytes at 0
>>> Wrote packet of 62 bytes at 50
>>> Wrote packet of 408 bytes at 112
>>> Read 3 potential packets, wrote 3 packets
>>> Running as user "root" and group "root". This could be dangerous.
>>> Frame 1: 92 bytes on wire (736 bits), 92 bytes captured (736 bits)




More information about the argus mailing list