LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   anybody know what these packets are ? (https://www.linuxquestions.org/questions/linux-security-4/anybody-know-what-these-packets-are-51407/)

mr.moto 03-23-2003 11:31 PM
anybody know what these packets are ?
 
I see these packets in pairs . Clearly they are something to do with netbios

and it looks like the firewall is blocking them . What are they trying to do ?


thanx


>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x100
OpCode=0
NmFlags=0x1
Rcode=0
QueryCount=1
AnsweerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=* NameType=0x00 (Workstation)
QuestionType=0x21
QuestionClass=0x1

(ttl 110, id28542, len 78)
0x0000 4500 004e 6f7e 0000 6e11 991e 4474 633d E..No~..n...Dtc=
0x0010 d827 c429 0403 0089 003a 77a2 0100 0010 .'.).....:w.....
0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA
0x0030 4141 4141 "here all the same " AAAAAAAAAAAAAA
0x0040 "all the same hex 4141 here too " AAAAAAAAA..!..
23:19:14.531313 HOST-xxx-xx-xx-xx.xxx.com >ts46-04-qdr1339.porch.wa.chart.com
: icmp: HOST-xxx-xx-xxx-xx.xxx.com udp port netbios-ns unreachable for ts-04-qdr1339
.porch.wa.charter.com.1027 > HOST-xxx-xx-xxx-xx.xxx.com.netbios-ns:
c

unSpawn 03-24-2003 03:18 AM
If you mean "pair", you probably mean a request and reply pair?
Could post a scrubbed (rip our your IP using Snort or Netdude) dump somewhere? Else could you post a proper ASCII-fied packet from the dump for both?

mr.moto 03-24-2003 11:27 PM
I didn't think I was opening such a can of worms.... forget
the original question ...how can I scrub and/or ASCII-fied the packet dumps
that would be more important to learn .... thank you for your time

unSpawn 03-25-2003 03:17 AM
Well, that depends on what scrubbing it needs and your tools.
It's common for ppl to post packet dumps w/o their own network/whateverelse info, minimizing the risk of having more nosey ppl scanning your network, especially if you're dealing with (reporting) badly configured/vulnerable services.
If you have Snort, you can have it scrub a tcpdump for your $HOME_NET variable (option -B), which works well for streams, but if it's just one packet you're sending off you might as well scrub it using Netdude which can also fix the packet checksums.
To print a dump in ASCII, run it tru tcpdump (-r <dump>) and use -x -X to print a Hexadecimal *and* ASCII representation. If you don't want to wait for network/service translation add "-n -nn".
Of course you could as well do "tcpdump -r <infile> 'not icmp' | sed -e "s/11.22.33.44/my.network/g" > <outfile>".
Also note the "not icmp" between single quotes, that's called a BPF filter, with a syntax similar to how you would select following a TCP stream in Ethereal. It allows you to output only certain packets. read more in man tcpdump.


All times are GMT -5. The time now is 04:42 PM.