Hi,
I'm using kernel 2.6.17, iptables 1.3.5.
Is there a way to match specific netbios ns flags? I did not find any on the iptables man page.
I'm trying to log it like this:
-A INPUT -s 10.1.1.15 -i eth1 -p udp -m string --string "elease" --algo bm --to 65535 -j LOG --log-prefix "received release from 015"
where 10.1.1.1 is the machine with iptables, the internal net router. 10.1.1.15 is Windows XP.
I would like to match it with a flag, not a string, to be more secure (netbios ns flag 0x3010)
the packet captured with wireshark is:
-------------
...
11164 11877.336283 10.1.1.15 10.1.1.255 NBNS Release NB HT015<20>
...
NetBIOS Name Service
Transaction ID: 0x808f
Flags: 0x3010 (Release)
0... .... .... .... = Response: Message is a query
.011 0... .... .... = Opcode: Release (6)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... ...1 .... = Broadcast: Broadcast packet
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
HT015<20>: type NB, class IN
Name: HT015<20> (Server service)
Type: NB
Class: IN
Additional records
HT015<20>: type NB, class IN
Name: HT015<20> (Server service)
Type: NB
Class: IN
Time to live: 0 time
Data length: 6
Flags: 0x0 (B-node, unique)
0... .... .... .... = Unique name
.00. .... .... .... = B-node
Addr: 10.1.1.15
-------------
I want to know when that host went offline by turning the computer off, or because of some physical failure, as a broken cable, or disconnected cable on the switch.
thanks,
kbah
=
ERP - Accounting Software, SQL Edition
SQL, fully customizable free SDK.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=ea7c49bd3fe7f7a95586c9ff6c085471
--
Powered by Outblaze
