Linux Netfilter discussions
 help / color / mirror / Atom feed
* Match specific netbios flag?
@ 2007-05-16 23:00 k bah
  2007-05-17  0:14 ` Jorge Davila
  0 siblings, 1 reply; 3+ messages in thread
From: k bah @ 2007-05-16 23:00 UTC (permalink / raw)
  To: netfilter


 Hi,

 I'm using kernel 2.6.17, iptables 1.3.5.
 
 Is there a way to match specific netbios ns flags? I did not find any on the iptables man page.

 I'm trying to log it like this:

 -A INPUT -s 10.1.1.15 -i eth1 -p udp -m string --string "elease" --algo bm --to 65535 -j LOG --log-prefix "received release from 015"

 where 10.1.1.1 is the machine with iptables, the internal net router. 10.1.1.15 is Windows XP.

 I would like to match it with a flag, not a string, to be more secure (netbios ns flag 0x3010)

 the packet captured with wireshark is:
-------------
...
11164 11877.336283 10.1.1.15              10.1.1.255            NBNS     Release NB HT015<20>
...
NetBIOS Name Service
    Transaction ID: 0x808f
    Flags: 0x3010 (Release)
        0... .... .... .... = Response: Message is a query
        .011 0... .... .... = Opcode: Release (6)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... ...1 .... = Broadcast: Broadcast packet
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        HT015<20>: type NB, class IN
            Name: HT015<20> (Server service)
            Type: NB
            Class: IN
    Additional records
        HT015<20>: type NB, class IN
            Name: HT015<20> (Server service)
            Type: NB
            Class: IN
            Time to live: 0 time
            Data length: 6
            Flags: 0x0 (B-node, unique)
                0... .... .... .... = Unique name
                .00. .... .... .... = B-node
            Addr: 10.1.1.15
-------------

 I want to know when that host went offline by turning the computer off, or because of some physical failure, as a broken cable, or disconnected cable on the switch.

 thanks,

 kbah

=
ERP - Accounting Software, SQL Edition
SQL, fully customizable free SDK.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=ea7c49bd3fe7f7a95586c9ff6c085471


-- 
Powered by Outblaze


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Match specific netbios flag?
@ 2007-05-17  1:43 k bah
  0 siblings, 0 replies; 3+ messages in thread
From: k bah @ 2007-05-17  1:43 UTC (permalink / raw)
  To: netfilter


> ----- Original Message -----
> From: "Jorge Davila" <davila@nicaraguaopensource.com>
> To: "k bah" <kbah@linuxmail.org>, netfilter@lists.netfilter.org
> Subject: Re: Match specific netbios flag?
> Date: Wed, 16 May 2007 18:14:48 -0600
> 
> 
> May you must try something different instead of iptables.
> 
> For loggin the connection/disconnection is enough the configuration 
> of the loggin in the smb configuration file.

 No samba running here.

> 
> If you really want monitoring may you want use Nagios.

 I'll take a look, thanks. The logging will also be for statistics purposes, since our network was setup a few weeks ago I want to keep track of things while it's not stable. As I didn't find no netbios name service flags on the iptables manual (there are tcp flags), I asked. Didn't find documentation on ip_conntrack_netbios_ns neither, but I gave this one a brief search.

 thanks!

=


-- 
Powered by Outblaze


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-05-17  1:43 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-16 23:00 Match specific netbios flag? k bah
2007-05-17  0:14 ` Jorge Davila
  -- strict thread matches above, loose matches on Subject: below --
2007-05-17  1:43 k bah

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox