Deapesh Misra | 1 Oct 22:43 2008
Picon

tshark filter question

Hi,

I have a pcap with multiple POST and GET requests in it. Lets say this
is the format:

===================
Frame a --- GET blah-a1

Frame b --- GET blah-b1
Frame b --- GET blah-b2
Frame b --- POST blah-b3

Frame c --- POST blah-c1
===================
(I guess some kind of HTTP Pipelining is going on here)

Now, I want to get the frame numbers and the the URIs for all packets
in which either a GET or a POST request has been sent. So I wrote this
filter:

tshark -T fields -e frame.number  -e http.request.uri -r FILENAME.pcap
-R "http.request.method contains GET || http.request.method contains
POST"

But this filter ends up returning:
===================
Frame a --- GET blah-a1

Frame b --- POST blah-b3

(Continue reading)

Mirsepassi, Armin | 1 Oct 23:53 2008

Re: Unexplained Netbios Traffic

You can use Port reporter to log traffic

http://support.microsoft.com/kb/837243

and sysinternals process explorer/tcpview for real time view of what is doing what.

http://technet.microsoft.com/en-us/sysinternals/default.aspx

 

From: wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org [mailto:wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org] On Behalf Of Jon Ziminsky
Sent: Wednesday, October 01, 2008 4:10 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Unexplained Netbios Traffic

 

The packets are coming from the "System" process.

<div>

<div class="Section1">

<p class="MsoNormal"><span>You can use Port reporter to log traffic <p></p></span></p>

<p class="MsoNormal"><span><a href="http://support.microsoft.com/kb/837243">http://support.microsoft.com/kb/837243</a><p></p></span></p>

<p class="MsoNormal"><span>and sysinternals process explorer/tcpview
for real time view of what is doing what.<p></p></span></p>

<p class="MsoNormal"><span><a href="http://technet.microsoft.com/en-us/sysinternals/default.aspx">http://technet.microsoft.com/en-us/sysinternals/default.aspx</a><p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<div class="MsoNormal" align="center"><span>

</span></div>

<p class="MsoNormal"><span>From:</span><span>
wireshark-users-bounces@...
[mailto:wireshark-users-bounces@...] <span>On Behalf Of </span>Jon Ziminsky<br><span>Sent:</span> Wednesday, October 01, 2008
4:10 PM<br><span>To:</span> Community support list for
Wireshark<br><span>Subject:</span> Re: [Wireshark-users] Unexplained
Netbios Traffic</span><p></p></p>

</div>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<p class="MsoNormal"><span>The packets are coming
from the "System" process.<p></p></span></p>

</div>

</div>

</div>
Jon Ziminsky | 1 Oct 19:01 2008

Unexplained Netbios Traffic

Hello!

 

I have a server that is spewing UDP packets on port 137. Here is a sample of the capture:

 

214         4.762671              <hidden>            65.200.10.34       NBNS    Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

 

217         1.771319              <hidden>            24.64.209.155     NBNS    Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

 

 

The packets are being sent to random public IPs. They are sent in groups of 3. The packets are identical except the destination IP.

 

The box is running Server2000, and is a VM running on an Ubuntu host. Both the host and guest are fully patched. It is running eTrust ITM that is fully patched an up to date on sigs. All AV scans I have ran come back clean. I also ran the most recent MS Malicious Software removal tool, and it came back clean as well.

 

This is the only server in our domain that is exhibiting this behavior.

 

So far today it has tried to contact over 100 random hosts. I am concerned... Help please.

 

 

 

Jon

 

<div>

<div class="Section1">

<p class="MsoNormal">Hello!<p></p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal">I have a server that is spewing UDP packets on port 137.
Here is a sample of the capture:<p></p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal">214&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4.762671&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;hidden&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 65.200.10.34&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NBNS&nbsp;&nbsp;&nbsp; Name
query NBSTAT
*&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;<p></p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal">217&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1.771319&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;hidden&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 24.64.209.155&nbsp;&nbsp;&nbsp;&nbsp; NBNS&nbsp;&nbsp;&nbsp; Name
query NBSTAT
*&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;&lt;00&gt;<p></p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal">The packets are being sent to random public IPs. They are
sent in groups of 3. The packets are identical except the destination IP. <p></p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal">The box is running Server2000, and is a VM running on an
Ubuntu host. Both the host and guest are fully patched. It is running eTrust
ITM that is fully patched an up to date on sigs. All AV scans I have ran come
back clean. I also ran the most recent MS Malicious Software removal tool, and
it came back clean as well.<p></p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal">This is the only server in our domain that is exhibiting
this behavior. <p></p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal">So far today it has tried to contact over 100 random hosts.
I am concerned... Help please.<p></p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

<p class="MsoNormal">Jon<p></p></p>

<p class="MsoNormal"><p>&nbsp;</p></p>

</div>

</div>
Peter Marshall | 1 Oct 18:33 2008
Picon

summery of unique socket connections

Hi,

I am looking for a way to summarize a capture file so that it only 
displays one line from every unique socket.

src-ip-a:src-port - dest-ip-a:dest-port-a
src-ip-b:src-port - dest-ip-b:dest-port-b
src-ip-c:src-port - dest-ip-c:dest-port-c
.
.
.

I do not necessarily care about the source port.

Is this possible with wireshark or another 3rd party app?

Thanks

Peter

John Martin | 1 Oct 21:44 2008

Re: Unexplained Netbios Traffic

Try running tcpview (http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx).  It’s a better version of netstat that will show attempted as well as established TCP/UDP sessions.  I’ve used it myself recently to find a process responsible for mystery traffic. 

 

From: wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org [mailto:wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A@public.gmane.org] On Behalf Of Jon Ziminsky
Sent: Wednesday, October 01, 2008 3:13 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Unexplained Netbios Traffic

 

I understand how NetBIOS works... This server has tried to contact 350 hosts since this morning... All completely random.

The two I posted were examples of the 1000+ packets it has generated thus far today.

I have used Arin to lookup about 20 of the IPs and they are all over the board... From China to Amsterdam to the US...

The server in question is behind the corporate firewall, and has no outward facing ports. The firewall is blocking these packets before they leave the network.

Attached is a snippet of the capture files, as i tried to post the entire file and was told by the bot that my message was too big.

<div>

<div class="Section1">

<p class="MsoNormal"><span>Try running tcpview (<a href="http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx">http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx</a>).
&nbsp;It&rsquo;s a better version of netstat that will show attempted as well
as established TCP/UDP sessions.&nbsp; I&rsquo;ve used it myself recently to
find a process responsible for mystery traffic.&nbsp; <p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<div class="MsoNormal" align="center"><span>

</span></div>

<p class="MsoNormal"><span>From:</span><span>
wireshark-users-bounces@...
[mailto:wireshark-users-bounces@...] <span>On Behalf Of </span>Jon Ziminsky<br><span>Sent:</span> Wednesday, October 01, 2008
3:13 PM<br><span>To:</span> Community
 support list for Wireshark<br><span>Subject:</span> Re: [Wireshark-users]
Unexplained Netbios Traffic</span><p></p></p>

</div>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<div>

<p class="MsoNormal"><span>I understand how NetBIOS works... This server has tried to contact 350
hosts since this morning... All completely random.<br><br>
The two I posted were examples of the 1000+ packets it has generated thus far
today.<br><br>
I have used Arin to lookup about 20 of the IPs and they are all over the
board... From China to Amsterdam to the US...<br><br>
The server in question is behind the corporate firewall, and has no outward
facing ports. The firewall is blocking these packets before they leave the
network.<br><br>
Attached is a snippet of the capture files, as i tried to post the entire file
and was told by the bot that my message was too big.<p></p></span></p>

</div>

</div>

</div>
Mike Louis | 2 Oct 00:31 2008

Microsoft OCS

Hey Folks,

 

I am working with Microsoft OCS RTP streams and I noticed that I could not report on the UDP streams using RTP until I did a decode as “rtp”. Just a heads up. It worked great and now I am getting the RTP information reported in the stream analysis page.

 

I also noticed that rtp stream analysis allows me to export the results to .csv files. I don’t noticed that feature when doing an SMB analysis. Do you think that will ever be available? I could use it since I frequently do lots of SMB analysis for comparing before and after results with Wan Acceleration gear.


Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
<div>
<div class="Section1">
<p class="MsoNormal">Hey Folks, <p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">I am working with Microsoft OCS RTP streams and I noticed that I could not report on the UDP streams using RTP until I did a decode as &ldquo;rtp&rdquo;. Just a heads up. It worked great and now I am getting the RTP information reported in the stream
 analysis page. <p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">I also noticed that rtp stream analysis allows me to export the results to .csv files. I don&rsquo;t noticed that feature when doing an SMB analysis. Do you think that will ever be available? I could use it since I frequently do lots of SMB analysis
 for comparing before and after results with Wan Acceleration gear.<p></p></p>
</div>
<br>Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential,
 and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify
 the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.<br>
</div>
Guy Harris | 2 Oct 00:55 2008
Picon

Re: Microsoft OCS


On Oct 1, 2008, at 3:31 PM, Mike Louis wrote:

> I am working with Microsoft OCS

Microsoft Office Communications Server?  (Not everybody here's  
familiar with all of Microsoft's initialisms.)

> RTP streams and I noticed that I could not report on the UDP streams  
> using RTP until I did a decode as “rtp”.

At least according to the Wikipedia page for Microsoft Office  
Communications Server, it uses SIP for signaling, so *IF* your network  
capture includes the SIP traffic, it should be able to recognize the  
traffic.

If your capture *doesn't* include the SIP traffic, the only way  
Wireshark can recognize RTP traffic without human help is by looking  
at the packets and guessing that they're RTP.  The code we have to do  
that doesn't check a lot of fields in the packet, so it probably runs  
a significant risk of identifying non-RTP traffic as RTP.  We  
therefore made that not the default; if you want Wireshark to be able  
to automatically recognize RTP traffic even if you *didn't* capture  
the signaling traffic that set the RTP stream up, you'll need to go to  
the Edit -> Preferences dialog, select the "RTP" preferences under  
"Protocols", and set the "Try to decode RTP outside of conversations"  
option.
Mike Louis | 2 Oct 01:00 2008

Re: Microsoft OCS

Awesome. thanks

-----Original Message-----
From: Guy Harris <guy@...>
Sent: Wednesday, October 01, 2008 6:56 PM
To: Community support list for Wireshark <wireshark-users@...>
Subject: Re: [Wireshark-users] Microsoft OCS

On Oct 1, 2008, at 3:31 PM, Mike Louis wrote:

> I am working with Microsoft OCS

Microsoft Office Communications Server?  (Not everybody here's
familiar with all of Microsoft's initialisms.)

> RTP streams and I noticed that I could not report on the UDP streams
> using RTP until I did a decode as “rtp”.

At least according to the Wikipedia page for Microsoft Office
Communications Server, it uses SIP for signaling, so *IF* your network
capture includes the SIP traffic, it should be able to recognize the
traffic.

If your capture *doesn't* include the SIP traffic, the only way
Wireshark can recognize RTP traffic without human help is by looking
at the packets and guessing that they're RTP.  The code we have to do
that doesn't check a lot of fields in the packet, so it probably runs
a significant risk of identifying non-RTP traffic as RTP.  We
therefore made that not the default; if you want Wireshark to be able
to automatically recognize RTP traffic even if you *didn't* capture
the signaling traffic that set the RTP stream up, you'll need to go to
the Edit -> Preferences dialog, select the "RTP" preferences under
"Protocols", and set the "Try to decode RTP outside of conversations"
option.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@...
https://wireshark.org/mailman/listinfo/wireshark-users

Note: This message and any attachments is intended solely for the use of the individual or entity to which it
is addressed and may contain information that is non-public, proprietary, legally privileged,
confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this communication is strictly
prohibited.  If you have received this communication in error, please notify the original sender
immediately by telephone or return email and destroy or delete this message along with any attachments immediately.

Andrew Hood | 2 Oct 15:56 2008
Picon

Re: Unexplained Netbios Traffic

Jon Ziminsky wrote:
> I understand how NetBIOS works... This server has tried to contact 350
> hosts since this morning... All completely random.
> 
> The two I posted were examples of the 1000+ packets it has generated
> thus far today.
> 
> I have used Arin to lookup about 20 of the IPs and they are all over the
> board... From China to Amsterdam to the US...
> 
> The server in question is behind the corporate firewall, and has no
> outward facing ports. The firewall is blocking these packets before they
> leave the network.
> 
> Attached is a snippet of the capture files, as i tried to post the
> entire file and was told by the bot that my message was too big.

Virus? Trojan?

I can duplicate that trace with:

nmblookup -A 89.202.193.168

Because your firewall is dropping the traffic you don't see the ICMP
responses:

  1   0.000000 <hidden> -> 89.202.193.168 NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
  2   0.346796 89.202.193.168 -> <hidden> ICMP Destination unreachable
(Port unreachable)
  3   2.062918 <hidden> -> 89.202.193.168 NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
  4   2.408237 89.202.193.168 -> <hidden> ICMP Destination unreachable
(Port unreachable)

You could try the following suggestion from
http://technet.microsoft.com/en-au/library/bb726981.aspx which will shut
it up completely

UseDnsOnlyForNameResolutions

Key: Netbt\Parameters

Value Type: REG_DWORD—Boolean

Valid Range: 0, 1 (false, true)

Default: 0 (false)

Description: This parameter is used to disable all NetBIOS name queries.
NetBIOS name registrations and refreshes are still used, and NetBIOS
sessions are still allowed. To completely disable NetBIOS on an
interface, see the NetbiosOptions parameter.

--

-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who
Jon Ziminsky | 2 Oct 18:35 2008
Picon

Re: Unexplained Netbios Traffic


Thanks for the reg key... But i want to try and find out what is causing the problem instead of simply covering it up.

I have a little more information on what is going on, but i am still in the dark as to what is causing it.

The traffic is being generated by services.exe and is actually going out over random ports, yet Wireshark as well as TCPDump are seeing it as port 137... Here is what PortReporter is showing:

08/10/2,9:10:11,UDP,2155,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:10:18,UDP,2159,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:10:50,UDP,2168,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:11:20,UDP,2173,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:11:47,UDP,2178,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:11:52,UDP,2180,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:12:11,UDP,2188,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:12:17,UDP,2190,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:12:37,UDP,2191,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:12:42,UDP,2192,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>

The 0.0.0.0 address is not obfuscated, that is what is showing in the log...

TCPView shows the port open and close very rapidly.

ProcExplorer doesn't reveal anything deeper than the PID 252 belonging to services.exe.

I tried running rootkitrevealer, and get an error when installing it. I ran Spybot(1.6) with the newest sigs, and it came back clean.

I am at a complete loss at this point. I think i will need to wipe and reload to make myself feel better.
<div><div dir="ltr">
<br>Thanks for the reg key... But i want to try and find out what is causing the problem instead of simply covering it up.<br><br>I have a little more information on what is going on, but i am still in the dark as to what is causing it.<br><br>The traffic is being generated by services.exe and is actually going out over random ports, yet Wireshark as well as TCPDump are seeing it as port 137... Here is what PortReporter is showing:<br><br>08/10/2,9:10:11,UDP,2155,<a href="http://0.0.0.0">0.0.0.0</a>,*,*,252,services.exe,&lt;NT AUTHORITY\SYSTEM&gt;<br>
08/10/2,9:10:18,UDP,2159,<a href="http://0.0.0.0">0.0.0.0</a>,*,*,252,services.exe,&lt;NT AUTHORITY\SYSTEM&gt;<br>08/10/2,9:10:50,UDP,2168,<a href="http://0.0.0.0">0.0.0.0</a>,*,*,252,services.exe,&lt;NT AUTHORITY\SYSTEM&gt;<br>
08/10/2,9:11:20,UDP,2173,<a href="http://0.0.0.0">0.0.0.0</a>,*,*,252,services.exe,&lt;NT AUTHORITY\SYSTEM&gt;<br>08/10/2,9:11:47,UDP,2178,<a href="http://0.0.0.0">0.0.0.0</a>,*,*,252,services.exe,&lt;NT AUTHORITY\SYSTEM&gt;<br>
08/10/2,9:11:52,UDP,2180,<a href="http://0.0.0.0">0.0.0.0</a>,*,*,252,services.exe,&lt;NT AUTHORITY\SYSTEM&gt;<br>08/10/2,9:12:11,UDP,2188,<a href="http://0.0.0.0">0.0.0.0</a>,*,*,252,services.exe,&lt;NT AUTHORITY\SYSTEM&gt;<br>
08/10/2,9:12:17,UDP,2190,<a href="http://0.0.0.0">0.0.0.0</a>,*,*,252,services.exe,&lt;NT AUTHORITY\SYSTEM&gt;<br>08/10/2,9:12:37,UDP,2191,<a href="http://0.0.0.0">0.0.0.0</a>,*,*,252,services.exe,&lt;NT AUTHORITY\SYSTEM&gt;<br>
08/10/2,9:12:42,UDP,2192,<a href="http://0.0.0.0">0.0.0.0</a>,*,*,252,services.exe,&lt;NT AUTHORITY\SYSTEM&gt;<br><br>The <a href="http://0.0.0.0">0.0.0.0</a> address is not obfuscated, that is what is showing in the log...<br><br>TCPView shows the port open and close very rapidly.<br><br>ProcExplorer doesn't reveal anything deeper than the PID 252 belonging to services.exe.<br><br>I tried running rootkitrevealer, and get an error when installing it. I ran Spybot(1.6) with the newest sigs, and it came back clean. <br><br>I am at a complete loss at this point. I think i will need to wipe and reload to make myself feel better.<br>
</div></div>

Gmane