I've been staring at this all day....

Posted by: andym

I've been staring at this all day.... - 29/03/2005 19:38

I'm writing a simple NBT parser for linux so we can finally port our control system over to linux and allow us to drop linux boxes into existing systems.

Anyway, I've decoded everything correctly except the netbios names. Ethereal tells me that ENFJFEEICACACACACACACACACACACACA means MYTH<20> but I just can't see how. Anyone with l33t hax0r skillz care to explain?
Posted by: g_attrill

Re: I've been staring at this all day.... - 29/03/2005 19:54

I have no knowledge of netbios encoding, but is this any help?

http://ubiqx.org/cifs/Glossary.html#L1ENC

Gareth
Posted by: wfaulk

Re: I've been staring at this all day.... - 29/03/2005 20:06

Ugh. Yeah.

RFC1001, Section 14.1.

Basically, to decode, take the first two bytes, subtract 65 from each of them. This will leave you with two 4-bit numbers. Put the first one as the MSNybble of a byte, the latter as the LSNynbble. That gives you the ASCII encoding of the first character. Proceed like that.
Posted by: wfaulk

Re: I've been staring at this all day.... - 29/03/2005 20:15

So:

((A-65)*16)+(B-65)=X

If the first two bytes are "EN", as they are in your example, A=69 and B=78.
((69-65)*16)+(78-65)
(4*16)+13
64+13
77

And 77 is ASCII for "M".

CA seems to translate to space, so I guess it uses spaces for filler.

And I guess the <20> is extracted from somewhere else, unless it's one of the spaces or something. Maybe it uses different padding for different types of names. That sounds a lot like the bass-ackwards type of thing that would be used in NetBIOS.
Posted by: andym

Re: I've been staring at this all day.... - 29/03/2005 20:34

That's done the trick:

Code:

void nbtoname(char *nbname)

{

        int i;



        for(i = 1 ; i < 32 ; i = i + 2)

        {



                fprintf(stdout, "%c", ((nbname[i] - 65) << 4) | (nbname[i + 1] - 65));

        }



        fprintf(stdout, "\n");

        return;

}


I thought the PDU encoding on SMS messages was arse about face. I would've gladly discarded the netbios names but for some reason the system sticks an important identifier in there. Oh well, that part was written over a decade ago to work on Windows 3.1 machines without an IP stack.

Thanks a million guys, you've made me look like a genius to my boss!

EDIT: I thought the <20> bit was a red herring, it appears to come from the next byte in the packet as I've just had a value other than <20> appear and only one byte in the packet changed. I don't need it anyway, however I'll keep it in the struct for possible future use.
Posted by: wfaulk

Re: I've been staring at this all day.... - 29/03/2005 20:37

FWIW, you could also subtract 'A', which is probably where that 65 comes from. Of course, that assumes ASCII, but then this whole nonsense assumes ASCII, so.... I just hate seeing magic numbers lying around.
Posted by: andym

Re: I've been staring at this all day.... - 29/03/2005 20:39

Ah yes I saw the 'A' mentioned in the RFC. Never mind i'll keep it 65.
Posted by: wfaulk

Re: I've been staring at this all day.... - 29/03/2005 20:39

Quote:
I thought the <20> bit was a red herring, it appears to come from the next byte in the packet as I've just had a value other than <20> appear and only one byte in the packet changed. I don't need it anyway, however I'll keep it in the struct for possible future use.

My time dealing with SMB has passed, mostly, but I seem to remember different <xx> numbers as meaning certain things, like <20> meant host, but <99> might mean nameserver or broadcast, or something like that. I could be remembering wrong, though.

Yeah, NetBIOS name type or some such:
<00> netbios name on the host
<03> messenger Service Name on the host
<20> name of the Server Service on the host
<1B> name of the domain master browser for subnet
<1D> name of the local master browser for subnet
Posted by: andym

Re: I've been staring at this all day.... - 29/03/2005 20:40

I'll ask at work but I think you're right. I'll fire up the samba server on my box and have a look with Ethereal to make sure.
Posted by: canuckInOR

Re: I've been staring at this all day.... - 30/03/2005 03:41

Quote:
Ethereal tells me that ENFJFEEICACACACACACACACACACACACA means MYTH<20> but I just can't see how. Anyone with l33t hax0r skillz care to explain?

I would have guessed it's either a cheat code for Super Mario Brothers, or the results of some super-extended version of the Myer-Brigs personality test.
Posted by: Ezekiel

Re: I've been staring at this all day.... - 30/03/2005 11:23

...that or Max Headroom swearing.

-Zeke
Posted by: JeffS

Re: I've been staring at this all day.... - 30/03/2005 13:46

Quote:
Quote:
ENFJ . . .

results of some super-extended version of the Myer-Brigs personality test
LOL
Posted by: wfaulk

Re: I've been staring at this all day.... - 30/03/2005 13:58

Maybe all the CACA at the end indicates an anal retentive personality.
Posted by: JeffS

Re: I've been staring at this all day.... - 30/03/2005 14:30

Quote:
Maybe all the CACA at the end indicates an anal retentive personality.
Well, whatever it representes, the person is obviously full of it.
Posted by: andym

Re: I've been staring at this all day.... - 30/03/2005 15:10

Wow, I hadn't realised this would be such cause for debate.