Match Netbios responses for hostnames over length 15 #4446
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #4446 +/- ##
=======================================
Coverage 81.45% 81.46%
=======================================
Files 353 353
Lines 84400 84481 +81
=======================================
+ Hits 68751 68822 +71
- Misses 15649 15659 +10
|
scapy/layers/netbios.py
Outdated
| @@ -193,9 +193,10 @@ def mysummary(self): | |||
| ) | |||
|
|
|||
| def answers(self, other): | |||
| trimmed_name = self.RR_NAME[:15] | |||
There was a problem hiding this comment.
This PR will trim the original hostname being queried when matching requests in answers.
This isn't really doing what you're saying it does. Where you're trimming the answered host name.. I'm unsure how that hostname could be bigger than 15?
There was a problem hiding this comment.
I went to see what you had changed in your PR where you implemented the query responses, and I assumed that self.RR_NAME is where the query hostname is being saved and that answers is what matches requests to responses. I'm probably making a wrong assumption here because I don't really understand how sr1 finds matches yet.
I'll open it in the debugger tomorrow and gather some screenshots and fix any mistakes I find. Sorry for the confusion.
There was a problem hiding this comment.
I think I may have mixed up which hostname is in which variable. If other.QUESTION_NAME is the original request, then that's the one that would need to be trimmed.
There was a problem hiding this comment.
I think that the best, and most Scapish-way of achieving this behavior would be to add an any2i() function to the Netbios field that crops the input to the first 15 characters.
This way when building the packet, you'd already see the name being cropped.
There was a problem hiding this comment.
Sounds good, I'll look into this and update the PR. Thanks for the input!
There was a problem hiding this comment.
I think I need another nudge. I have added an any2i method to the NetBIOSNameField with a couple of print statements to make sure it is running as expected:
class NetBIOSNameField(StrFixedLenField):
def __init__(self, name, default, length=31):
# type: (str, bytes, int) -> None
StrFixedLenField.__init__(self, name, default, length)
def any2i(self, pkt, x):
print(x)
if len(x) > 15:
x = x[:15]
print(x)
return xI can see that it is running the code and trimming the field value correctly:
Loremipsumdolorsitamet
Loremipsumdolor
However, the response packet is still not being captured.
I see how it's called in the Packet.__init__() method, and I'm trying to look at other examples in fields.py but I'm a little lost at the moment.
There was a problem hiding this comment.
I've also tried fiddling with the length=31 parameter to change the length of the underlying StrFixedLenField to 15, but that resulted in a malformed packet.
There was a problem hiding this comment.
Oh sorry, h2i might be more appropriate
There was a problem hiding this comment.
h2i was what we needed. Thanks for the help! The most recent commit was working for me when testing.
Scapy handles long netbios hostname queries by trimming the hostname to the maximum of 15 characters before sending the request. When a response is sent back, Scapy fails to match the response to the request because it matches the trimmed hostname against the full-length one originally requested.
This PR will trim the original hostname being queried when matching requests in
answers.This is referenced in issue #4443