locked
[MS-RAI] [MS-RA] parsing remote assistance packets in network monitor RRS feed

  • Question

  • Hi, I am trying to implement a remote assistance client on linux.

    I use network monitor to capture RA connections, but the captured file only has plain TCP packets, network monitor didn't parse them as RA or RDP packets.

    The same network monitor configuration can parser RDP connections and even decrypt them(I added RDP server's private key to network monitor).

     I thought MS-RA is based on RDP protocol, so network monitor should be able to parse RA connection. is that true?

    Thank you

    Saturday, March 17, 2012 12:20 PM

Answers

  • Hi xaioapple,

    The purpose of this forum is to support the Open
    Specifications documentation. You can read about the Microsoft Open
    Specifications program at http://www.microsoft.com/openspecifications/en/us/default.aspx
    The library of Open Specification documents is located at http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx.

    The forum that discusses Netmon issues is http://social.msdn.microsoft.com/Forums/en-US/netmon/threads.


    Remote Assistance offers a challenge to the Network Monitor
    parsers because it uses non-assigned TCP port numbers and part of the Remote
    Assistance experience occurs off-the-wire (by transmitting connection
    information over e-mail, a shared file, etc).  The example you provided
    uses ports 16407 and 49188 and were assigned when each side made its listening
    port.  The handshake: the message to the Expert side with the Novice’s
    connection information was communicated off-the-wire, thus Network Monitor
    never sees it.  Network Monitor would need to heuristically discover that
    the traffic was Remote Assistance traffic by doing a deeper inspection of the
    otherwise random TCP traffic (looking for embedded UUIDs, etc.).

    Network Monitor does have a feature that you can highlight a
    portion of the hex output, right-click, select “Decode As” and pick the
    protocol or structure the hex output represents.

    Please post to the Netmon forum for follow-up.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Monday, March 19, 2012 7:15 PM

All replies

  • Hi xiaoapple

    Thank you for contacting Microsoft. A member of the Open Specification Team will be in touch soon.

    Thanks.



    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Saturday, March 17, 2012 3:44 PM
  • sorry I could not figure out how to attache network mointor capture files, these are the first 4 lines of network monitor captured packets:

    5    21:00:10 2012/3/16    11.8452589    TCP    TCP:Flags=......S., SrcPort=16407, DstPort=49188, PayloadLen=0, Seq=1469656929, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192    {TCP:2, IPv4:1}
    8    21:00:10 2012/3/16    11.8462740    TCP    TCP:Flags=...A..S., SrcPort=49188, DstPort=16407, PayloadLen=0, Seq=995906144, Ack=1469656930, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152    {TCP:2, IPv4:1}
    9    21:00:10 2012/3/16    11.8464558    TCP    TCP:Flags=...A...., SrcPort=16407, DstPort=49188, PayloadLen=0, Seq=1469656930, Ack=995906145, Win=16425 (scale factor 0x2) = 65700    {TCP:2, IPv4:1}
    10    21:00:10 2012/3/16    12.5472628    TCP    TCP:Flags=...AP..., SrcPort=16407, DstPort=49188, PayloadLen=43, Seq=1469656930 - 1469656973, Ack=995906145, Win=16425 (scale factor 0x2) = 65700    {TCP:2, IPv4:1}

    Monday, March 19, 2012 12:40 PM
  • Hi xaioapple,

    The purpose of this forum is to support the Open
    Specifications documentation. You can read about the Microsoft Open
    Specifications program at http://www.microsoft.com/openspecifications/en/us/default.aspx
    The library of Open Specification documents is located at http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx.

    The forum that discusses Netmon issues is http://social.msdn.microsoft.com/Forums/en-US/netmon/threads.


    Remote Assistance offers a challenge to the Network Monitor
    parsers because it uses non-assigned TCP port numbers and part of the Remote
    Assistance experience occurs off-the-wire (by transmitting connection
    information over e-mail, a shared file, etc).  The example you provided
    uses ports 16407 and 49188 and were assigned when each side made its listening
    port.  The handshake: the message to the Expert side with the Novice’s
    connection information was communicated off-the-wire, thus Network Monitor
    never sees it.  Network Monitor would need to heuristically discover that
    the traffic was Remote Assistance traffic by doing a deeper inspection of the
    otherwise random TCP traffic (looking for embedded UUIDs, etc.).

    Network Monitor does have a feature that you can highlight a
    portion of the hex output, right-click, select “Decode As” and pick the
    protocol or structure the hex output represents.

    Please post to the Netmon forum for follow-up.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Monday, March 19, 2012 7:15 PM
  • thank you for reply

    it is very helpful

    Wednesday, March 28, 2012 12:39 PM