[Snort-users] Very interesting packet

Fyodor fygrave at ...121...
Sun Jul 30 12:11:06 EDT 2000

~ :Anyone know how to decode the NetBIOS data in the packet?

if you are talking about those funky `CACACA..` strings in the packets,
then the basic idea would be:
you substitute 0x41 from each pair of characters in the packet and then
or them like final = (a << 4) | b; (and you will get 0x20 for each `CA'
pair ;-))

for `descrambling' the whole netbios packet(s) have a look on rfc 1001,
1002. They are old but do not seem to be obsoleted yet.

More information about the Snort-users mailing list