I've been staring at this all day.... | Off Topic | unofficial empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

You are not logged in. [Log In] empegbbs.com » Forums » General Discussion » Off Topic » I've been staring at this all day....

Topic Options

#252867 - 29/03/2005 19:38 I've been staring at this all day....
andym carpal tunnel Registered: 17/01/2002 Posts: 3995 Loc: Manchester UK	I'm writing a simple NBT parser for linux so we can finally port our control system over to linux and allow us to drop linux boxes into existing systems. Anyway, I've decoded everything correctly except the netbios names. Ethereal tells me that ENFJFEEICACACACACACACACACACACACA means MYTH<20> but I just can't see how. Anyone with l33t hax0r skillz care to explain? _________________________ Cheers, Andy M
Top

#252868 - 29/03/2005 19:54 Re: I've been staring at this all day.... [Re: andym]
g_attrill old hand Registered: 14/04/2002 Posts: 1172 Loc: Hants, UK	I have no knowledge of netbios encoding, but is this any help? http://ubiqx.org/cifs/Glossary.html#L1ENC Gareth
Top

#252869 - 29/03/2005 20:06 Re: I've been staring at this all day.... [Re: andym]
wfaulk carpal tunnel Registered: 25/12/2000 Posts: 16706 Loc: Raleigh, NC US	Ugh. Yeah. RFC1001, Section 14.1. Basically, to decode, take the first two bytes, subtract 65 from each of them. This will leave you with two 4-bit numbers. Put the first one as the MSNybble of a byte, the latter as the LSNynbble. That gives you the ASCII encoding of the first character. Proceed like that. Edited by wfaulk (29/03/2005 20:08) _________________________ Bitt Faulk
Top

#252870 - 29/03/2005 20:15 Re: I've been staring at this all day.... [Re: wfaulk]
wfaulk carpal tunnel Registered: 25/12/2000 Posts: 16706 Loc: Raleigh, NC US	So: ((A-65)16)+(B-65)=X If the first two bytes are "EN", as they are in your example, A=69 and B=78. ((69-65)16)+(78-65) (416)+13 64+13 77 And 77 is ASCII for "M". CA seems to translate to space, so I guess it uses spaces for filler. And I guess the <20> is extracted from somewhere else, unless it's one of the spaces or something. Maybe it uses different padding for different types of names. That sounds a lot like the bass-ackwards type of thing that would be used in NetBIOS. Edited by wfaulk (29/03/2005 20:17)* _________________________ Bitt Faulk
Top

#252871 - 29/03/2005 20:34 Re: I've been staring at this all day.... [Re: wfaulk]
andym carpal tunnel Registered: 17/01/2002 Posts: 3995 Loc: Manchester UK	That's done the trick: Code: void nbtoname(char *nbname) { int i; for(i = 1 ; i < 32 ; i = i + 2) { fprintf(stdout, "%c", ((nbname[i] - 65) << 4) \| (nbname[i + 1] - 65)); } fprintf(stdout, "\n"); return; } I thought the PDU encoding on SMS messages was arse about face. I would've gladly discarded the netbios names but for some reason the system sticks an important identifier in there. Oh well, that part was written over a decade ago to work on Windows 3.1 machines without an IP stack. Thanks a million guys, you've made me look like a genius to my boss! EDIT: I thought the <20> bit was a red herring, it appears to come from the next byte in the packet as I've just had a value other than <20> appear and only one byte in the packet changed. I don't need it anyway, however I'll keep it in the struct for possible future use. _________________________ Cheers, Andy M
Top

#252872 - 29/03/2005 20:37 Re: I've been staring at this all day.... [Re: andym]
wfaulk carpal tunnel Registered: 25/12/2000 Posts: 16706 Loc: Raleigh, NC US	FWIW, you could also subtract 'A', which is probably where that 65 comes from. Of course, that assumes ASCII, but then this whole nonsense assumes ASCII, so.... I just hate seeing magic numbers lying around. Edited by wfaulk (29/03/2005 20:39) _________________________ Bitt Faulk
Top

#252873 - 29/03/2005 20:39 Re: I've been staring at this all day.... [Re: wfaulk]
andym carpal tunnel Registered: 17/01/2002 Posts: 3995 Loc: Manchester UK	Ah yes I saw the 'A' mentioned in the RFC. Never mind i'll keep it 65. _________________________ Cheers, Andy M
Top

#252874 - 29/03/2005 20:39 Re: I've been staring at this all day.... [Re: andym]
wfaulk carpal tunnel Registered: 25/12/2000 Posts: 16706 Loc: Raleigh, NC US	Quote: I thought the <20> bit was a red herring, it appears to come from the next byte in the packet as I've just had a value other than <20> appear and only one byte in the packet changed. I don't need it anyway, however I'll keep it in the struct for possible future use. My time dealing with SMB has passed, mostly, but I seem to remember different <xx> numbers as meaning certain things, like <20> meant host, but <99> might mean nameserver or broadcast, or something like that. I could be remembering wrong, though. Yeah, NetBIOS name type or some such: <00> netbios name on the host <03> messenger Service Name on the host <20> name of the Server Service on the host <1B> name of the domain master browser for subnet <1D> name of the local master browser for subnet Edited by wfaulk (29/03/2005 20:43) _________________________ Bitt Faulk
Top

#252875 - 29/03/2005 20:40 Re: I've been staring at this all day.... [Re: wfaulk]
andym carpal tunnel Registered: 17/01/2002 Posts: 3995 Loc: Manchester UK	I'll ask at work but I think you're right. I'll fire up the samba server on my box and have a look with Ethereal to make sure. _________________________ Cheers, Andy M
Top

#252876 - 30/03/2005 03:41 Re: I've been staring at this all day.... [Re: andym]
canuckInOR carpal tunnel Registered: 13/02/2002 Posts: 3212 Loc: Portland, OR	Quote: Ethereal tells me that ENFJFEEICACACACACACACACACACACACA means MYTH<20> but I just can't see how. Anyone with l33t hax0r skillz care to explain? I would have guessed it's either a cheat code for Super Mario Brothers, or the results of some super-extended version of the Myer-Brigs personality test.
Top

#252877 - 30/03/2005 11:23 Re: I've been staring at this all day.... [Re: canuckInOR]
Ezekiel pooh-bah Registered: 25/08/2000 Posts: 2413 Loc: NH USA	...that or Max Headroom swearing. -Zeke _________________________ WWFSMD?
Top

#252878 - 30/03/2005 13:46 Re: I've been staring at this all day.... [Re: canuckInOR]
JeffS carpal tunnel Registered: 14/01/2002 Posts: 2858 Loc: Atlanta, GA	Quote: Quote: ENFJ . . . results of some super-extended version of the Myer-Brigs personality test LOL _________________________ -Jeff Rome did not create a great empire by having meetings; they did it by killing all those who opposed them.
Top

#252879 - 30/03/2005 13:58 Re: I've been staring at this all day.... [Re: JeffS]
wfaulk carpal tunnel Registered: 25/12/2000 Posts: 16706 Loc: Raleigh, NC US	Maybe all the CACA at the end indicates an anal retentive personality. _________________________ Bitt Faulk
Top

#252880 - 30/03/2005 14:30 Re: I've been staring at this all day.... [Re: wfaulk]
JeffS carpal tunnel Registered: 14/01/2002 Posts: 2858 Loc: Atlanta, GA	Quote: Maybe all the CACA at the end indicates an anal retentive personality. Well, whatever it representes, the person is obviously full of it. _________________________ -Jeff Rome did not create a great empire by having meetings; they did it by killing all those who opposed them.
Top

#252881 - 30/03/2005 15:10 Re: I've been staring at this all day.... [Re: JeffS]
andym carpal tunnel Registered: 17/01/2002 Posts: 3995 Loc: Manchester UK	Wow, I hadn't realised this would be such cause for debate. _________________________ Cheers, Andy M
Top

View All Topics