Maybe legacy mode is not used anymore in modern implementations? Looking at frame 6 in his capture RDP-002... the user data transported ontop ox x.224 is definitely BER encoded.
It starts with 0x7f then what follows is definitely BER. Frame 6/7 starts with BER APPLICATION 5/6 Could this be MTrq/MTcf from T.125 ? On 10/26/07, Kukosa, Tomas <[EMAIL PROTECTED]> wrote: > > I can look if asn2wrs could generate at least some usefull code for > T.128 Legacy mode. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > ronnie sahlberg > > Sent: Wednesday, October 24, 2007 10:09 PM > > To: Developer support list for Wireshark > > Subject: Re: [Wireshark-dev] decoding Remote Desktop Protocol > > > > I think RDP is just using T.126 with some extra extensions. > > As far as I recall it is using the old legacy encoding and > > not ASN PER. > > > > I did find some documentation about this a long time ago but never had > > any traces/nor real interest in implementing it. > > > > It should be possible to find the T.126 family as well as the old > > legacy encoding through google. > > (the old legacy encoding means the dissector has to be written by hand > > since asn2wrs can not be used) > > > > > > On 10/25/07, DePriest, Jason R. <[EMAIL PROTECTED]> wrote: > > > After Tenable announced that they are going to have operating system > > > detection based on Remote Desktop fingerprinting available to Direct > > > Feed customers > > (http://blog.tenablesecurity.com/2007/10/windows-operati.html), > > > I thought it would be great to figure out how they are doing that. > > > > > > Unfortunately, I can't seem to locate any good technical > > documentation > > > on how RDP does what it does. > > > > > > I considered looking at the linux programs that use it > > (rdesktop) and > > > trying to read their code, but I don't write code myself so it would > > > be hit or miss. > > > > > > RDP is Microsoft's baby and I don't know where to look for > > in depth docs on it. > > > > > > Does anyone have a link or two to some helpful stuff that would help > > > me break the code? Or will I just need to figure it the hard way? > > > > > > Thanks! > > > > > > -Jason > > > > > > -- > > > NOTICE: This email is being sent in clear-text across the public > > > Internet. Therefore, any attempts to include unenforceable legalese > > > restrictions are ridiculous and pointless. If you can read this, > > > consider yourself authorized (whether I like it or not). > > > _______________________________________________ > > > Wireshark-dev mailing list > > > [email protected] > > > http://www.wireshark.org/mailman/listinfo/wireshark-dev > > > > > _______________________________________________ > > Wireshark-dev mailing list > > [email protected] > > http://www.wireshark.org/mailman/listinfo/wireshark-dev > > > _______________________________________________ > Wireshark-dev mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-dev > _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
