Wireshark-dev: Re: [Wireshark-dev] decoding Remote Desktop Protocol

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Mon, 29 Oct 2007 19:30:07 +1100
Maybe legacy mode is not used anymore in modern implementations?

Looking at frame 6 in his capture RDP-002...
the user data transported ontop ox x.224 is definitely BER encoded.

It starts with 0x7f    then what follows is definitely BER.

Frame 6/7 starts with   BER APPLICATION 5/6
Could this be  MTrq/MTcf  from T.125 ?


On 10/26/07, Kukosa, Tomas <tomas.kukosa@xxxxxxxxxxx> wrote:
>
> I can look if asn2wrs could generate at least some usefull code for
> T.128 Legacy mode.
>
>
> > -----Original Message-----
> > From: wireshark-dev-bounces@xxxxxxxxxxxxx
> > [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of
> > ronnie sahlberg
> > Sent: Wednesday, October 24, 2007 10:09 PM
> > To: Developer support list for Wireshark
> > Subject: Re: [Wireshark-dev] decoding Remote Desktop Protocol
> >
> > I think RDP is just using T.126 with some extra extensions.
> > As far as I recall it is using the old legacy encoding and
> > not ASN PER.
> >
> > I did find some documentation about this a long time ago but never had
> > any traces/nor real interest in implementing it.
> >
> > It should be possible to find the T.126 family as well as the old
> > legacy encoding through google.
> > (the old legacy encoding means the dissector has to be written by hand
> > since asn2wrs can not be used)
> >
> >
> > On 10/25/07, DePriest, Jason R. <jrdepriest@xxxxxxxxx> wrote:
> > > After Tenable announced that they are going to have operating system
> > > detection based on Remote Desktop fingerprinting available to Direct
> > > Feed customers
> > (http://blog.tenablesecurity.com/2007/10/windows-operati.html),
> > > I thought it would be great to figure out how they are doing that.
> > >
> > > Unfortunately, I can't seem to locate any good technical
> > documentation
> > > on how RDP does what it does.
> > >
> > > I considered looking at the linux programs that use it
> > (rdesktop) and
> > > trying to read their code, but I don't write code myself so it would
> > > be hit or miss.
> > >
> > > RDP is Microsoft's baby and I don't know where to look for
> > in depth docs on it.
> > >
> > > Does anyone have a link or two to some helpful stuff that would help
> > > me break the code?  Or will I just need to figure it the hard way?
> > >
> > > Thanks!
> > >
> > > -Jason
> > >
> > > --
> > > NOTICE:  This email is being sent in clear-text across the public
> > > Internet.  Therefore, any attempts to include unenforceable legalese
> > > restrictions are ridiculous and pointless.  If you can read this,
> > > consider yourself authorized (whether I like it or not).
> > > _______________________________________________
> > > Wireshark-dev mailing list
> > > Wireshark-dev@xxxxxxxxxxxxx
> > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > >
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>