Bill Royds wrote: > > The netbios Name query/response packets are in the same format as DNS > query/response packets, just on port 137 instead of 53 *ding* They're not even remotely related. Do a dump of a netbios name query and you'll see a string like "IJDFYEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" where each letter is one nibble (4 bits), plus 'A' (which means that each "AA" pair is in fact a representation of NUL.) Do a dump of a DNS query and you'll see a string like "www.bustyvixens.com" umm .. ^H^H^H^H^H^H^H^H^H^H^H^Hmicrosoft.com" (Of course, the protocol structs differs entirely too; this is just the most obvious way of showing the difference.) You're probably getting fooled by the fact that some windows machines (win9x? i forget) likes originating DNS queries (destination port 53) from port 137. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 11:42:15 PDT