What I have found is that Microsoft's Netmon 3.1 has some "parsers" for parts of RDP.
The parser files seem to be chained so that you can't get to RDP without going through TCP first. The TCP filter has a case statement that tells it where to look next, I think. It breaks down the different parts of the RDP communication as: RDP, TCP, X224, and T125. The only real dissector is X224. The others (beside TCP which handles the headers and the rest is just 'data') just look like placeholders (called Stub Parsers). The RDP file actually has a couple of things in it, but not much. The comments section in the X224 parser references ISO 8073 and ITU X224, neither of which I could find an ASN.1 reference for. The parser files are plain-text with no sort of licensing information in them. How likely is it that I would get in trouble for posting them to this list? I'll do some more reading before venturing into that. If you are interested, just go download and install Microsoft Network Monitor 3.1 (http://blogs.technet.com/netmon/archive/2007/07/02/network-monitor-3-1-has-released.aspx for info or http://www.microsoft.com/downloads/details.aspx?familyid=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&displaylang=en to just download) and look in the \Program Files\Microsoft Network Monitor 3\NPL directory. There are also stub parser files for a bunch of sub-pieces of RPD that I guess the RDP parser would reference in a case statement of its own. RDPPnp - Plug and Play Devices Virtual Channel RDPXps - XML Paper Specification (XPS) Print Virtual Channel RDPDyc - Dynamic Channel Virtual Channel RDPCr - Composited Remoting Protocol -Jason On 10/24/07, ronnie sahlberg <> wrote: > I think RDP is just using T.126 with some extra extensions. > As far as I recall it is using the old legacy encoding and not ASN PER. > > I did find some documentation about this a long time ago but never had > any traces/nor real interest in implementing it. > > It should be possible to find the T.126 family as well as the old > legacy encoding through google. > (the old legacy encoding means the dissector has to be written by hand > since asn2wrs can not be used) > > > On 10/25/07, DePriest, Jason R. <> wrote: > > After Tenable announced that they are going to have operating system > > detection based on Remote Desktop fingerprinting available to Direct > > Feed customers > > (http://blog.tenablesecurity.com/2007/10/windows-operati.html), > > I thought it would be great to figure out how they are doing that. > > > > Unfortunately, I can't seem to locate any good technical documentation > > on how RDP does what it does. > > > > I considered looking at the linux programs that use it (rdesktop) and > > trying to read their code, but I don't write code myself so it would > > be hit or miss. > > > > RDP is Microsoft's baby and I don't know where to look for in depth docs on > > it. > > > > Does anyone have a link or two to some helpful stuff that would help > > me break the code? Or will I just need to figure it the hard way? > > > > Thanks! > > > > -Jason _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
