Below is an example of a WINS port 137/udp packet broken out by Ethereal and a DNS packet. Notice the basic similarity with WINS adding a few flags and encoding the text differently. Using the ethereal code may allow you to create your own extractor. This come from my home LAN
===============================================================================================
Frame 18 (104 bytes on wire, 104 bytes captured)
Arrival Time: Oct 14, 2002 17:26:30.373491000
Time delta from previous packet: 0.000102000 seconds
Time relative to first packet: 271.548191000 seconds
Frame Number: 18
Packet Length: 104 bytes
Capture Length: 104 bytes
Ethernet II, Src: 00:80:c8:de:8b:7d, Dst: 00:00:e8:55:6c:b2
Destination: 00:00:e8:55:6c:b2 (ACCTON_55:6c:b2)
Source: 00:80:c8:de:8b:7d (BILL-NT)
Type: IP (0x0800)
Internet Protocol, Src Addr: BILL-NT (192.168.0.95), Dst Addr: RHODA (192.168.0.108)
Version: 4
Header length: 20 bytes
Type of service: 0x00 (None)
000. .... = Precedence: routine (0)
...0 .... = Delay: Normal
.... 0... = Throughput: Normal
.... .0.. = Reliability: Normal
.... ..0. = Cost: Normal
Total Length: 90
Identification: 0x863b
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x323c (correct)
Source: BILL-NT (192.168.0.95)
Destination: RHODA (192.168.0.108)
User Datagram Protocol, Src Port: nbname (137), Dst Port: nbname (137)
Source port: nbname (137)
Destination port: nbname (137)
Length: 70
Checksum: 0x6384 (correct)
NetBIOS Name Service
Transaction ID: 0x04aa
Flags: 0xad86 (Registration response, Name is owned by another node)
1... .... .... .... = Response: Message is a response
.010 1... .... .... = Opcode: Registration (5)
.... .1.. .... .... = Authoritative: Server is an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... ...0 .... = Broadcast: Not a broadcast packet
.... .... .... 0110 = Reply code: Name is owned by another node (6)
Questions: 0
Answer RRs: 1
Authority RRs: 0
Additional RRs: 0
Answers
BELLAMY-ROYDS<1d>: type NB, class inet
Name: BELLAMY-ROYDS<1d> (Local Master Browser)
Type: NB
Class: inet
Time to live: 0 time
Data length: 6
Flags: 0x0 (B-node, unique)
0... .... .... .... = Unique name
.00. .... .... .... = B-node
Addr: 192.168.0.95
=================================================
Here is a DNS query response
=================================================
Frame 2 (198 bytes on wire, 198 bytes captured)
Arrival Time: Oct 14, 2002 17:49:52.700077000
Time delta from previous packet: 0.090657000 seconds
Time relative to first packet: 0.090657000 seconds
Frame Number: 2
Packet Length: 198 bytes
Capture Length: 198 bytes
Ethernet II, Src: 00:50:18:09:be:62, Dst: 00:80:c8:de:8b:7d
Destination: 00:80:c8:de:8b:7d (BILL-NT)
Source: 00:50:18:09:be:62 (gateway)
Type: IP (0x0800)
Internet Protocol, Src Addr: dns.nk.rnc.net.cable.rogers.com (24.153.23.66), Dst Addr: BILL-NT (192.168.0.95)
Version: 4
Header length: 20 bytes
Type of service: 0x00 (None)
000. .... = Precedence: routine (0)
...0 .... = Delay: Normal
.... 0... = Throughput: Normal
.... .0.. = Reliability: Normal
.... ..0. = Cost: Normal
Total Length: 184
Identification: 0x90b9
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 248
Protocol: UDP (0x11)
Header checksum: 0x0099 (correct)
Source: dns.nk.rnc.net.cable.rogers.com (24.153.23.66)
Destination: BILL-NT (192.168.0.95)
User Datagram Protocol, Src Port: domain (53), Dst Port: 2230 (2230)
Source port: domain (53)
Destination port: 2230 (2230)
Length: 164
Checksum: 0x692e (correct)
Domain Name System (response)
Transaction ID: 0x0005
Flags: 0x8180 (Standard query response, No error)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 1
Authority RRs: 3
Additional RRs: 3
Queries
slashdot.org: type A, class inet
Name: slashdot.org
Type: Host address
Class: inet
Answers
slashdot.org: type A, class inet, addr 64.28.67.150
Name: slashdot.org
Type: Host address
Class: inet
Time to live: 2 hours, 54 minutes, 40 seconds
Data length: 4
Addr: 64.28.67.150
Authoritative nameservers
slashdot.org: type NS, class inet, ns NS1.OSDN.COM
Name: slashdot.org
Type: Authoritative name server
Class: inet
Time to live: 2 hours, 54 minutes, 35 seconds
Data length: 14
Name server: NS1.OSDN.COM
slashdot.org: type NS, class inet, ns NS2.OSDN.COM
Name: slashdot.org
Type: Authoritative name server
Class: inet
Time to live: 2 hours, 54 minutes, 35 seconds
Data length: 6
Name server: NS2.OSDN.COM
slashdot.org: type NS, class inet, ns NS3.OSDN.COM
Name: slashdot.org
Type: Authoritative name server
Class: inet
Time to live: 2 hours, 54 minutes, 35 seconds
Data length: 6
Name server: NS3.OSDN.COM
Additional records
NS1.OSDN.COM: type A, class inet, addr 64.28.67.51
Name: NS1.OSDN.COM
Type: Host address
Class: inet
Time to live: 23 hours, 50 minutes, 14 seconds
Data length: 4
Addr: 64.28.67.51
NS2.OSDN.COM: type A, class inet, addr 209.192.217.106
Name: NS2.OSDN.COM
Type: Host address
Class: inet
Time to live: 22 hours, 17 minutes, 20 seconds
Data length: 4
Addr: 209.192.217.106
NS3.OSDN.COM: type A, class inet, addr 64.28.67.53
Name: NS3.OSDN.COM
Type: Host address
Class: inet
Time to live: 20 hours, 53 minutes, 41 seconds
Data length: 4
Addr: 64.28.67.53
===============================================================================
-----Original Message-----
From: Bill Royds [mailto:broydsat_private]
Sent: Mon October 14 2002 10:31
To: Luca Berra; firewall-wizardsat_private
Subject: RE: [fw-wiz] RE: Help w/ Port 137 Traffic
The netbios Name query/response packets are in the same format as DNS query/response packets, just on port 137 instead of 53 so you could use DNS tools connected to port 137 instead of SAMBA. This doesn't help with port 139 traffic although Ethereal has a good netbios dissector.
-----Original Message-----
From: firewall-wizards-adminat_private
[mailto:firewall-wizards-adminat_private]On Behalf Of Luca
Berra
Sent: Mon October 14 2002 02:50
To: firewall-wizardsat_private
Subject: Re: [fw-wiz] RE: Help w/ Port 137 Traffic
<snip>
as a last note i am also getting many probes on port 137 and 139, but
they seem unrelated, i might try answering to netbios-ns lookups and see
what happens, if i find a smaller beast than samba to use, that is.
_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 17:20:33 PDT