Re: Gnutella detection

From: John Lampe (j_lampeat_private)
Date: Tue Apr 30 2002 - 08:42:33 PDT

Previous message: Michel Arboi: "Gnutella detection"
In reply to: Michel Arboi: "Gnutella detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

incidentally, the bearshare gnutella client runs a web server on that
port (6346) and you could grep for the string "BearShare" to find
those instances.  If you want to be a little more robust, look at the
following snort dump:

04/30-15:36:57.385019 10.10.10.31:2702 -> 208.239.76.100:6346
TCP TTL:64 TOS:0x0 ID:23896 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0xF8B40406  Ack: 0x88B837EC  Win: 0xFAF0  TcpLen: 20
47 4E 55 54 45 4C 4C 41 20 43 4F 4E 4E 45 43 54  GNUTELLA CONNECT
2F 30 2E 34 0A 0A                                /0.4..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+

04/30-15:36:57.453517 208.239.76.100:6346 -> 10.10.10.31:2702
TCP TTL:111 TOS:0x0 ID:35757 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x88B837EC  Ack: 0xF8B4041C  Win: 0x409A  TcpLen: 20
47 4E 55 54 45 4C 4C 41 20 4F 4B 0A 0A           GNUTELLA OK..


So, it seems that sending "GNUTELLA CONNECT/0.4\n\n" to port 6346
should elicit a "GNUTELLA OK" response.

John Lampe
https://f00dikator.hn.org/

"Knowledge will forever govern ignorance, and a people who mean to be
their own governors, must arm themselves with the power knowledge
gives. A popular government without popular information or the means
of acquiring it, is but a prologue to a farce or a tragedy or perhaps
both." 
- --James Madison

- ----- Original Message ----- 
From: "Michel Arboi" <arboiat_private>
To: <plugins-writersat_private>
Sent: Tuesday, April 30, 2002 6:11 PM
Subject: Gnutella detection


> This is a first & simple version of the script... We should test if
> the service answers to the Gnutella protocol.
> Gnutella is not really risky, but it should not be encountered on a
> business network.
> 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBPM67ZUXUt1lqbd/lAQHnnggAij9p3BTukM20KhsuRmOGGL4vP1IxePNG
tiKJnkHYqh4c8lEk5HyF+q5QpFcM+P3ynz6+AqqMWPgVhbLM8N4OD7oZrj5P+Y7i
pMrnUSJw+5wFD0dOvc369JnxHqPMx1jB1CgPcqQp8necTPXIpdYVEymK/NKw5gUM
+QYJTAn7D0OMhBhRJ1Bm2ydkUPo8EeCj0BttSbUV10H5zkey4uPNGcr1UNGHO1aZ
nWt6iIcSKKqkbSewNZAVAzaZpGUlXl3In3dP+/FkO3rYWYlOJz7A32Bj8UODlmmx
ALbpGQScZrkwE/opyz8/gypY6vsqxWM99ZJ5tRu9CGafRzKFMFDdVQ==
=B1NY
-----END PGP SIGNATURE-----

Previous message: Michel Arboi: "Gnutella detection"
In reply to: Michel Arboi: "Gnutella detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 13:41:55 PDT