Below is an example of a WINS port 137/udp packet broken out by Ethereal and a DNS packet. Notice the basic similarity with WINS adding a few flags and encoding the text differently. Using the ethereal code may allow you to create your own extractor. This come from my home LAN =============================================================================================== Frame 18 (104 bytes on wire, 104 bytes captured) Arrival Time: Oct 14, 2002 17:26:30.373491000 Time delta from previous packet: 0.000102000 seconds Time relative to first packet: 271.548191000 seconds Frame Number: 18 Packet Length: 104 bytes Capture Length: 104 bytes Ethernet II, Src: 00:80:c8:de:8b:7d, Dst: 00:00:e8:55:6c:b2 Destination: 00:00:e8:55:6c:b2 (ACCTON_55:6c:b2) Source: 00:80:c8:de:8b:7d (BILL-NT) Type: IP (0x0800) Internet Protocol, Src Addr: BILL-NT (192.168.0.95), Dst Addr: RHODA (192.168.0.108) Version: 4 Header length: 20 bytes Type of service: 0x00 (None) 000. .... = Precedence: routine (0) ...0 .... = Delay: Normal .... 0... = Throughput: Normal .... .0.. = Reliability: Normal .... ..0. = Cost: Normal Total Length: 90 Identification: 0x863b Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x323c (correct) Source: BILL-NT (192.168.0.95) Destination: RHODA (192.168.0.108) User Datagram Protocol, Src Port: nbname (137), Dst Port: nbname (137) Source port: nbname (137) Destination port: nbname (137) Length: 70 Checksum: 0x6384 (correct) NetBIOS Name Service Transaction ID: 0x04aa Flags: 0xad86 (Registration response, Name is owned by another node) 1... .... .... .... = Response: Message is a response .010 1... .... .... = Opcode: Registration (5) .... .1.. .... .... = Authoritative: Server is an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... 1... .... = Recursion available: Server can do recursive queries .... .... ...0 .... = Broadcast: Not a broadcast packet .... .... .... 0110 = Reply code: Name is owned by another node (6) Questions: 0 Answer RRs: 1 Authority RRs: 0 Additional RRs: 0 Answers BELLAMY-ROYDS<1d>: type NB, class inet Name: BELLAMY-ROYDS<1d> (Local Master Browser) Type: NB Class: inet Time to live: 0 time Data length: 6 Flags: 0x0 (B-node, unique) 0... .... .... .... = Unique name .00. .... .... .... = B-node Addr: 192.168.0.95 ================================================= Here is a DNS query response ================================================= Frame 2 (198 bytes on wire, 198 bytes captured) Arrival Time: Oct 14, 2002 17:49:52.700077000 Time delta from previous packet: 0.090657000 seconds Time relative to first packet: 0.090657000 seconds Frame Number: 2 Packet Length: 198 bytes Capture Length: 198 bytes Ethernet II, Src: 00:50:18:09:be:62, Dst: 00:80:c8:de:8b:7d Destination: 00:80:c8:de:8b:7d (BILL-NT) Source: 00:50:18:09:be:62 (gateway) Type: IP (0x0800) Internet Protocol, Src Addr: dns.nk.rnc.net.cable.rogers.com (24.153.23.66), Dst Addr: BILL-NT (192.168.0.95) Version: 4 Header length: 20 bytes Type of service: 0x00 (None) 000. .... = Precedence: routine (0) ...0 .... = Delay: Normal .... 0... = Throughput: Normal .... .0.. = Reliability: Normal .... ..0. = Cost: Normal Total Length: 184 Identification: 0x90b9 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 248 Protocol: UDP (0x11) Header checksum: 0x0099 (correct) Source: dns.nk.rnc.net.cable.rogers.com (24.153.23.66) Destination: BILL-NT (192.168.0.95) User Datagram Protocol, Src Port: domain (53), Dst Port: 2230 (2230) Source port: domain (53) Destination port: 2230 (2230) Length: 164 Checksum: 0x692e (correct) Domain Name System (response) Transaction ID: 0x0005 Flags: 0x8180 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .0.. .... .... = Authoritative: Server is not an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... 1... .... = Recursion available: Server can do recursive queries .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 1 Authority RRs: 3 Additional RRs: 3 Queries slashdot.org: type A, class inet Name: slashdot.org Type: Host address Class: inet Answers slashdot.org: type A, class inet, addr 64.28.67.150 Name: slashdot.org Type: Host address Class: inet Time to live: 2 hours, 54 minutes, 40 seconds Data length: 4 Addr: 64.28.67.150 Authoritative nameservers slashdot.org: type NS, class inet, ns NS1.OSDN.COM Name: slashdot.org Type: Authoritative name server Class: inet Time to live: 2 hours, 54 minutes, 35 seconds Data length: 14 Name server: NS1.OSDN.COM slashdot.org: type NS, class inet, ns NS2.OSDN.COM Name: slashdot.org Type: Authoritative name server Class: inet Time to live: 2 hours, 54 minutes, 35 seconds Data length: 6 Name server: NS2.OSDN.COM slashdot.org: type NS, class inet, ns NS3.OSDN.COM Name: slashdot.org Type: Authoritative name server Class: inet Time to live: 2 hours, 54 minutes, 35 seconds Data length: 6 Name server: NS3.OSDN.COM Additional records NS1.OSDN.COM: type A, class inet, addr 64.28.67.51 Name: NS1.OSDN.COM Type: Host address Class: inet Time to live: 23 hours, 50 minutes, 14 seconds Data length: 4 Addr: 64.28.67.51 NS2.OSDN.COM: type A, class inet, addr 209.192.217.106 Name: NS2.OSDN.COM Type: Host address Class: inet Time to live: 22 hours, 17 minutes, 20 seconds Data length: 4 Addr: 209.192.217.106 NS3.OSDN.COM: type A, class inet, addr 64.28.67.53 Name: NS3.OSDN.COM Type: Host address Class: inet Time to live: 20 hours, 53 minutes, 41 seconds Data length: 4 Addr: 64.28.67.53 =============================================================================== -----Original Message----- From: Bill Royds [mailto:broydsat_private] Sent: Mon October 14 2002 10:31 To: Luca Berra; firewall-wizardsat_private Subject: RE: [fw-wiz] RE: Help w/ Port 137 Traffic The netbios Name query/response packets are in the same format as DNS query/response packets, just on port 137 instead of 53 so you could use DNS tools connected to port 137 instead of SAMBA. This doesn't help with port 139 traffic although Ethereal has a good netbios dissector. -----Original Message----- From: firewall-wizards-adminat_private [mailto:firewall-wizards-adminat_private]On Behalf Of Luca Berra Sent: Mon October 14 2002 02:50 To: firewall-wizardsat_private Subject: Re: [fw-wiz] RE: Help w/ Port 137 Traffic <snip> as a last note i am also getting many probes on port 137 and 139, but they seem unrelated, i might try answering to netbios-ns lookups and see what happens, if i find a smaller beast than samba to use, that is. _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 17:20:33 PDT