> If you can find documentation/specifications for this protocol and would be
> willing to produce and supply
> capture files containing this protocol for testing, then I could look into
> implementing it in ethereal.
Note that Microsoft Network Monitor doesn't fully dissect it...
...which is a bit amusing, consider that it's Microsoft Network Monitor
that sends those packets out; it's some kind of check for Network
Monitor agents on the wire.
It shows them as Security Check packets for the "BONE" protocol; that's
the Bloodhound-Oriented Network Entity Protocol":
http://www.microsoft.com/windows2000/en/datacenter/help/default.asp?url=/windows2000/en/datacenter/help/sag_NETMNconcepts_5.htm
"Bloodhound" being the internal name for Network Monitor.
It appears to use LLC UI frames with a DSAP of 0x03 and an SSAP of 0x02;
the first 4 bytes are "RTSS", which NetMon describes as the "signature".
After that comes 1 byte of command, which, according to NetMon's filter
construction dialog box, can be one of
0x00 Station Query Request
0x01 Station Query Response
0x02 Alert
0x03 Security Check
0x04 Security Response, NO PMODE
0x05 Security Monitor Announcement
followed by a byte of flags which NetMon appears not to dissect. After
that comes a bunch of stuff, which appears, in Security Check frames, to
include both ASCII and Unicode versions of the machine's host name and
the name of the user running Network Monitor, as well as the MAC address
of one of the interfaces on the machine. (I've never seen any other
frame types.) Network Monitor doesn't dissect that stuff. The strings
in question might be null-padded to some unknown lengths. (The host
name might be a NetBIOS host name, hence 16 characters, with the last
character being a name type.)