Re: Gnutella detection

From: John Lampe (j_lampeat_private)
Date: Tue Apr 30 2002 - 08:42:33 PDT


incidentally, the bearshare gnutella client runs a web server on that
port (6346) and you could grep for the string "BearShare" to find
those instances.  If you want to be a little more robust, look at the
following snort dump:

04/30-15:36:57.385019 ->
TCP TTL:64 TOS:0x0 ID:23896 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0xF8B40406  Ack: 0x88B837EC  Win: 0xFAF0  TcpLen: 20
47 4E 55 54 45 4C 4C 41 20 43 4F 4E 4E 45 43 54  GNUTELLA CONNECT
2F 30 2E 34 0A 0A                                /0.4..


04/30-15:36:57.453517 ->
TCP TTL:111 TOS:0x0 ID:35757 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x88B837EC  Ack: 0xF8B4041C  Win: 0x409A  TcpLen: 20
47 4E 55 54 45 4C 4C 41 20 4F 4B 0A 0A           GNUTELLA OK..

So, it seems that sending "GNUTELLA CONNECT/0.4\n\n" to port 6346
should elicit a "GNUTELLA OK" response.

John Lampe

"Knowledge will forever govern ignorance, and a people who mean to be
their own governors, must arm themselves with the power knowledge
gives. A popular government without popular information or the means
of acquiring it, is but a prologue to a farce or a tragedy or perhaps
- --James Madison

- ----- Original Message ----- 
From: "Michel Arboi" <arboiat_private>
To: <plugins-writersat_private>
Sent: Tuesday, April 30, 2002 6:11 PM
Subject: Gnutella detection

> This is a first & simple version of the script... We should test if
> the service answers to the Gnutella protocol.
> Gnutella is not really risky, but it should not be encountered on a
> business network.

Version: PGPfreeware 7.0.3 for non-commercial use <>


This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 13:41:55 PDT