I think RDP is just using T.126 with some extra extensions.
As far as I recall it is using the old legacy encoding and not ASN PER.
I did find some documentation about this a long time ago but never had
any traces/nor real interest in implementing it.
It should be possible to find the T.126 family as well as the old
legacy encoding through google.
(the old legacy encoding means the dissector has to be written by hand
since asn2wrs can not be used)
On 10/25/07, DePriest, Jason R. <jrdepriest@xxxxxxxxx> wrote:
> After Tenable announced that they are going to have operating system
> detection based on Remote Desktop fingerprinting available to Direct
> Feed customers (http://blog.tenablesecurity.com/2007/10/windows-operati.html),
> I thought it would be great to figure out how they are doing that.
>
> Unfortunately, I can't seem to locate any good technical documentation
> on how RDP does what it does.
>
> I considered looking at the linux programs that use it (rdesktop) and
> trying to read their code, but I don't write code myself so it would
> be hit or miss.
>
> RDP is Microsoft's baby and I don't know where to look for in depth docs on it.
>
> Does anyone have a link or two to some helpful stuff that would help
> me break the code? Or will I just need to figure it the hard way?
>
> Thanks!
>
> -Jason
>
> --
> NOTICE: This email is being sent in clear-text across the public
> Internet. Therefore, any attempts to include unenforceable legalese
> restrictions are ridiculous and pointless. If you can read this,
> consider yourself authorized (whether I like it or not).
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>