NetBIOS dissection improvements

author: Luca Deri <deri@ntop.org> 2020-03-01 11:42:21 +0100
committer: Luca Deri <deri@ntop.org> 2020-03-01 11:42:21 +0100
commit: 942a71c7eb10656621a8b7ba44d2d28c69566e90 (patch)
tree: 9c785407b3fbabb7e6335cf8f908c373b75841bc /tests/result
parent: 7fd135a8c9ae2e6382876bbf8a771984db8c286e (diff)
5 files changed, 15 insertions, 12 deletions
diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out
index b69023107..f4ea14eb4 100644
--- a/tests/result/1kxun.pcap.out
+++ b/tests/result/1kxun.pcap.out
@@ -2,8 +2,9 @@ Unknown	24	6428	14
 DNS	5	638	2
 HTTP	945	530967	19
 MDNS	1	82	1
-NetBIOS	31	3589	8
+NetBIOS	26	2392	6
 SSDP	143	36951	13
+SMBv1	5	1197	2
 DHCP	24	8208	5
 QQ	28	5216	2
 RTP	2	132	1
@@ -61,9 +62,9 @@ JA3 Host Stats:
 	40	UDP 192.168.5.16:68 <-> 192.168.119.1:67 [proto: 18/DHCP][cat: Network/14][2 pkts/684 bytes <-> 2 pkts/684 bytes][Goodput ratio: 88/88][30.01 sec][Host: macbook-air][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46]
 	41	UDP 192.168.5.48:49701 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][7 pkts/1253 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][16.80 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1227/0 2799/0 5942/0 1567/0][Pkt Len c2s/s2c min/avg/max/stddev: 179/0 179/0 179/0 0/0][PLAIN TEXT (SEARCH )]
 	42	UDP 192.168.3.236:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][13 pkts/1196 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][30.61 sec][Host: isatap][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 715/0 2708/0 9111/0 2902/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT (FDEBFEEBFACACACACACACACACACAAA)]
-	43	UDP 192.168.5.45:138 -> 192.168.255.255:138 [proto: 10/NetBIOS][cat: System/18][3 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.00 sec][Host: macbookair-e1d0][PLAIN TEXT ( ENEBEDECEPEPELEBEJ)]
+	43	UDP 192.168.5.45:138 -> 192.168.255.255:138 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][3 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.00 sec][Host: macbookair-e1d0][PLAIN TEXT ( ENEBEDECEPEPELEBEJ)]
 	44	UDP 192.168.115.8:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][6 pkts/552 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.50 sec][Host: wpad][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 300/0 749/0 367/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( FHFAEBEECACACACACACACACACACACA)]
-	45	UDP 192.168.5.67:138 -> 192.168.255.255:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/549 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][< 1 sec][Host: sanji-lifebook-][PLAIN TEXT ( FDEBEOEKEJ)]
+	45	UDP 192.168.5.67:138 -> 192.168.255.255:138 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][2 pkts/549 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][< 1 sec][Host: sanji-lifebook-][PLAIN TEXT ( FDEBEOEKEJ)]
 	46	UDP [fe80::406:55a8:6453:25dd]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][5 pkts/490 bytes -> 0 pkts/0 bytes][Goodput ratio: 37/0][15.56 sec]
 	47	UDP [fe80::beee:7bff:fe0c:b3de]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][4 pkts/392 bytes -> 0 pkts/0 bytes][Goodput ratio: 37/0][14.54 sec]
 	48	UDP 192.168.5.16:63372 <-> 168.95.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/89 bytes <-> 1 pkts/289 bytes][Goodput ratio: 52/85][0.01 sec][Host: dl-obs.official.line.naver.jp][203.69.81.73][PLAIN TEXT (official)]
diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out
index 0e9a818fe..aa3644e86 100644
--- a/tests/result/skype_no_unknown.pcap.out
+++ b/tests/result/skype_no_unknown.pcap.out
@@ -1,8 +1,9 @@
 Unknown	486	90869	30
 DNS	2	267	1
 MDNS	3	400	2
-NetBIOS	22	3106	7
+NetBIOS	17	2006	4
 SSDP	40	14100	3
+SMBv1	5	1100	3
 SkypeCall	154	10918	146
 ICMP	4	328	1
 IGMP	4	226	4
@@ -85,8 +86,8 @@ JA3 Host Stats:
 	67	UDP 192.168.1.34:64240 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/511 bytes -> 0 pkts/0 bytes][Goodput ratio: 42/0][26.50 sec][Host: api.skype.com][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1091/0 4416/0 9098/0 3405/0][Pkt Len c2s/s2c min/avg/max/stddev: 73/0 73/0 73/0 0/0]
 	68	TCP 192.168.1.34:51296 <-> 91.190.216.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/293 bytes <-> 3 pkts/186 bytes][Goodput ratio: 36/0][0.69 sec][bytes ratio: 0.223 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/54 26/54 53/54 26/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 98/62 161/66 46/3]
 	69	TCP 192.168.1.34:51308 -> 80.121.84.93:443 [proto: 91/TLS][cat: Web/5][6 pkts/468 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][5.05 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1005/0 1010/0 1015/0 4/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 78/0 78/0 0/0]
-	70	UDP 192.168.1.1:138 -> 192.168.1.34:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/452 bytes -> 0 pkts/0 bytes][Goodput ratio: 81/0][1.26 sec][Host: alicegate][PLAIN TEXT ( EBEMEJEDEFEHEBFEEFCACACACACACA)]
-	71	UDP 192.168.1.34:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/432 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][1.26 sec][Host: lucasmacbookpro][PLAIN TEXT ( EMFFEDEBFDENEBEDECEPEPELFAFCEP)]
+	70	UDP 192.168.1.1:138 -> 192.168.1.34:138 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][2 pkts/452 bytes -> 0 pkts/0 bytes][Goodput ratio: 81/0][1.26 sec][Host: alicegate][PLAIN TEXT ( EBEMEJEDEFEHEBFEEFCACACACACACA)]
+	71	UDP 192.168.1.34:138 -> 192.168.1.255:138 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][2 pkts/432 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][1.26 sec][Host: lucasmacbookpro][PLAIN TEXT ( EMFFEDEBFDENEBEDECEPEPELFAFCEP)]
 	72	TCP 192.168.1.34:51284 <-> 91.190.218.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/237 bytes <-> 3 pkts/186 bytes][Goodput ratio: 21/0][0.47 sec][bytes ratio: 0.121 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/62 34/62 68/62 34/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 79/62 105/66 21/3]
 	73	TCP 192.168.1.34:51285 <-> 91.190.218.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/191 bytes <-> 3 pkts/186 bytes][Goodput ratio: 3/0][0.52 sec][bytes ratio: 0.013 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/61 31/61 62/61 31/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 64/62 78/66 10/3]
 	74	TCP 192.168.1.34:51286 <-> 91.190.218.125:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][3 pkts/191 bytes <-> 3 pkts/186 bytes][Goodput ratio: 3/0][0.36 sec][bytes ratio: 0.013 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/65 31/65 62/65 31/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 64/62 78/66 10/3]
@@ -97,7 +98,7 @@ JA3 Host Stats:
 	79	UDP 192.168.1.34:13021 -> 174.49.171.224:32011 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][5 pkts/300 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][20.15 sec]
 	80	UDP 192.168.1.34:57694 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/101 bytes <-> 1 pkts/166 bytes][Goodput ratio: 58/74][0.05 sec][Host: db3msgr5011709.gateway.messenger.live.com][::][PLAIN TEXT (MSGR5011709)]
 	81	UDP [fe80::c62c:3ff:fe06:49fe]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][0.16 sec]
-	82	UDP 192.168.1.92:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][1 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][Host: lucas-imac][PLAIN TEXT ( EMFFEDEBFDCNEJENEBEDCACACACACA)]
+	82	UDP 192.168.1.92:138 -> 192.168.1.255:138 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][1 pkts/216 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][Host: lucas-imac][PLAIN TEXT ( EMFFEDEBFDCNEJENEBEDCACACACACA)]
 	83	TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][2 pkts/132 bytes <-> 1 pkts/74 bytes][Goodput ratio: 0/0][0.30 sec]
 	84	UDP 192.168.1.34:59788 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48/57][0.06 sec][Host: e4593.g.akamaiedge.net][23.206.33.166][PLAIN TEXT (akamaiedge)]
 	85	UDP 192.168.1.34:63661 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48/57][0.06 sec][Host: e4593.g.akamaiedge.net][23.206.33.166][PLAIN TEXT (akamaiedge)]
diff --git a/tests/result/smbv1.pcap.out b/tests/result/smbv1.pcap.out
index 2d3bd65ae..03812d11c 100644
--- a/tests/result/smbv1.pcap.out
+++ b/tests/result/smbv1.pcap.out
@@ -1,3 +1,3 @@
 SMBv1	7	1197	1
 
-	1	TCP 172.16.156.130:50927 <-> 10.128.0.243:445 [proto: 16/SMBv1][cat: System/18][4 pkts/669 bytes <-> 3 pkts/528 bytes][Goodput ratio: 68/69][0.10 sec][bytes ratio: 0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 27/34 32/35 37/36 4/1][Pkt Len c2s/s2c min/avg/max/stddev: 136/114 167/176 194/243 26/53][PLAIN TEXT (PC NETWORK PROGRAM 1.0)]
+	1	TCP 172.16.156.130:50927 <-> 10.128.0.243:445 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][4 pkts/669 bytes <-> 3 pkts/528 bytes][Goodput ratio: 68/69][0.10 sec][bytes ratio: 0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 27/34 32/35 37/36 4/1][Pkt Len c2s/s2c min/avg/max/stddev: 136/114 167/176 194/243 26/53][PLAIN TEXT (PC NETWORK PROGRAM 1.0)]
diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out
index 13b5c1b48..893767de3 100644
--- a/tests/result/tor.pcap.out
+++ b/tests/result/tor.pcap.out
@@ -1,4 +1,4 @@
-NetBIOS	1	252	1
+SMBv1	1	252	1
 TLS	246	102691	5
 DHCPV6	6	906	1
 Dropbox	10	1860	1
@@ -18,5 +18,5 @@ JA3 Host Stats:
 	7	TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 91.163/TLS.Tor][cat: VPN/2][15 pkts/3634 bytes <-> 14 pkts/6027 bytes][Goodput ratio: 76/87][74.24 sec][bytes ratio: -0.248 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/15 6155/6464 63835/63837 17571/19124][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 242/430 640/1514 247/416][TLSv1][Client: www.6gyip7tqim7sieb.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: EE:86:E7:21:36:93:23:30:DB:A0:09:48:55:16:CB:A8:E9:DA:01:D0][Validity: 2013-11-02 00:00:00 - 2014-02-17 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
 	8	UDP 192.168.1.1:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][10 pkts/1860 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][600.89 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30033/0 66765/0 360548/0 103868/0][Pkt Len c2s/s2c min/avg/max/stddev: 186/0 186/0 186/0 0/0][PLAIN TEXT ( 676879976)]
 	9	UDP [fe80::c583:1972:5728:7323]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][6 pkts/906 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][31.41 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1227/0 6282/0 16006/0 5400/0][Pkt Len c2s/s2c min/avg/max/stddev: 151/0 151/0 151/0 0/0][PLAIN TEXT (Endian)]
-	10	UDP 192.168.1.252:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][1 pkts/252 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Host: endian-pc][PLAIN TEXT ( EFEOEEEJEBEOCNFAEDCACACACACACA)]
+	10	UDP 192.168.1.252:138 -> 192.168.1.255:138 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][1 pkts/252 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Host: endian-pc][PLAIN TEXT ( EFEOEEEJEBEOCNFAEDCACACACACACA)]
 	11	TCP 192.168.1.252:51104 -> 157.56.30.46:443 [proto: 91/TLS][cat: Web/5][1 pkts/60 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec]
diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out
index b8afec542..19391115b 100644
--- a/tests/result/wechat.pcap.out
+++ b/tests/result/wechat.pcap.out
@@ -2,7 +2,8 @@ DNS	6	494	3
 HTTP	70	4620	8
 MDNS	116	10672	4
 NTP	1	90	1
-NetBIOS	12	1579	2
+NetBIOS	9	828	1
+SMBv1	3	751	1
 DHCP	1	342	1
 QQ	26	9402	2
 IGMP	24	1280	4
@@ -61,7 +62,7 @@ JA3 Host Stats:
 	41	TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91.197/TLS.WeChat][cat: Chat/9][3 pkts/802 bytes <-> 3 pkts/198 bytes][Goodput ratio: 75/0][16.21 sec][bytes ratio: 0.604 (Upload)][IAT c2s/s2c min/avg/max/stddev: 6562/9679 8102/9679 9642/9679 1540/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 267/66 670/66 285/0]
 	42	UDP 192.168.1.100:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][9 pkts/828 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.44 sec][Host: lbjamwptxz][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 179/0 816/0 313/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( EMECEKEBENFHFAFEFIFKCACACACACA)]
 	43	IGMP 192.168.1.100:0 -> 224.0.0.22:0 [proto: 82/IGMP][cat: Network/14][15 pkts/810 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3769.99 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 409/0 289920/0 3384346/0 895904/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 54/0 54/0 0/0]
-	44	UDP 192.168.1.100:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][3 pkts/751 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][3600.00 sec][Host: giovanni-pc][PLAIN TEXT ( EHEJEPFGEBEOEOEJ)]
+	44	UDP 192.168.1.100:138 -> 192.168.1.255:138 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][3 pkts/751 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][3600.00 sec][Host: giovanni-pc][PLAIN TEXT ( EHEJEPFGEBEOEOEJ)]
 	45	TCP 192.168.1.103:54112 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][5 pkts/338 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][22.72 sec][bytes ratio: 0.094 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 351/910 5597/910 20327/910 8509/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 74/74 3/4]
 	46	TCP 192.168.1.103:54114 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][5 pkts/338 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][55.41 sec][bytes ratio: 0.094 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 312/33511 13774/33511 33196/33511 13762/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 74/74 3/4]
 	47	UDP 192.168.1.103:19041 <-> 192.168.1.254:53 [proto: 5.48/DNS.QQ][cat: Chat/9][1 pkts/73 bytes <-> 1 pkts/537 bytes][Goodput ratio: 42/92][0.03 sec][Host: res.wx.qq.com][203.205.158.34]
author	Luca Deri <deri@ntop.org>	2020-03-01 11:42:21 +0100
committer	Luca Deri <deri@ntop.org>	2020-03-01 11:42:21 +0100
commit	942a71c7eb10656621a8b7ba44d2d28c69566e90 (patch)
tree	9c785407b3fbabb7e6335cf8f908c373b75841bc /tests/result
parent	7fd135a8c9ae2e6382876bbf8a771984db8c286e (diff)