Hello trid users,
some days ago i want to install a bridge stick that should send data of my
inverter getting energy from solar panels via WLAN in the cloud. Something was
not working. That was bad because configuration via APP on smartphone was not
working. Nowadays most devices rely on such features. But when things are not
working as expected the devices send light signals via coloured LEDs. Then you
must look up in the description what this means. Often this is not really
helpful because you get only a generic error hint. For around 200 years ago
Samuel Morse code was invented and this is more easier to read because it is
standardized, whereas for most electric devices every manufacturer implements
it own blinking system.
In my desperation i try to connect to WLAN access point offered by that device
and run network scanning tool nmap or zenmap to see what ports are used on
that device. The reports can be saved. One format use GNMAP as file names
suffix. That is expressed in new definition by line like:
<Ext>GNMAP</Ext>
There exist other formats with XML or NMAP suffix. Unfortunately there seems
to exist variants or name collisions with other formats. So in this session i
will handle only GNMAP format.
It took some time to get some different samples. On an old SUSE system i get
samples with lowest version 6.47 dated about October 2014. I also compiled
newest version 7.94. I also run nmap on Windows system, Mint x64 and Rasbian
system.
So i run trid utility on my examples with GNMAP suffix. Some samples (16/31)
are recognized and described as "Nmap scan results" by log-nmap.trid.xml dated
about February 2011. But here LOG is shown as file name suffix and no mime
type is displayed. As reference a page about Nmap on Wikipedia is listed. This
is done by line like:
<RefURL>
http://en.wikipedia.org/wiki/Nmap</RefURL>
But half of my samples are not recognized and described as "Unknown!" (see
appended trid-v-old.txt in output).
For comparison reason i also run the file format identification utility DROID
(See
https://sourceforge.net/projects/droid/). Here the samples are not
recognized.
For comparison reason i also run file command (version 5.45) on such samples.
Here the samples are "recognized". These are here described generic as "ASCII
text" (see appended file-5.45.txt in output). Therefor here the mime type
text/plain is shown (see appended file-i-5.45.txt in output). Here no file
name suffix is shown (see appended file-ext-5.45.txt in output).
Luckily i found page about this Grepable Output format on nmap web server. So
this expressed by line like:
<RefURL>
https://nmap.org/book/output-formats-grepable-output.html</RefURL>
So i run tridscan on my samples to generate gnmap.trid.xml. Apparently the
characteristics inside Front Block section are triggered by first lines. These
can be show for example by command like:
head -1 *.gnmap
which gives output like:
==> 4Gmodem-tcp.gnmap <==
# Nmap 7.93 scan initiated Sat Jan 13 18:38:57 2024 as:
"C:\\Program Files (x86)\\Nmap\\nmap.exe" -p 1-65535 -T4 -A -v -oA 4Gmodem-tcp 192.168.100.1
==> athom-quick-pi.gnmap <==
# Nmap 7.94 scan initiated Thu Feb 1 13:47:18 2024 as:
/home/tmp/nmap-7.94/nmap -T4 -F -oA athom-quick-pi 192.168.4.1
==> opendtu-udp.gnmap <==
# Nmap 7.93 scan initiated Tue Nov 7 00:30:59 2023 as:
"c:/Program Files (x86)/Nmap/nmap.exe" -sS -sU -T4 -A -v -oA opendtu-udp 192.168.4.1
==> scanme.nmap.org-.gnmap <==
# Nmap 6.47 scan initiated Thu Feb 15 15:40:06 2024 as:
nmap -v -oA scanme.nmap.org- scanme.nmap.org
==> scanme.nmap.org-2.gnmap <==
# Nmap 7.93 scan initiated Thu Feb 15 18:40:49 2024 as:
nmap -T4 -A -v -oG - scanme.nmap.org
So i looked at generated patterns and compare it with patterns inside
log-nmap.trid.xml. First construct is triggered by comment marker followed by
capitalized program name surrounded by space characters. So that is expressed
by first XML construct that looks like:
<Bytes>23204E6D617020</Bytes>
<ASCII> # N m a p</ASCII>
<Pos>0</Pos>
If there exist samples with low cased program name than i get constructs like
in log-nmap.trid.xml.
The next construct like in gnmap.trid.xml is triggered by 4 byte versions
(like 6.47 7.93 7.94) So shared point character is expressed in both
definitions by construct like:
<Bytes>2E</Bytes>
<Pos>8</Pos>
On reference page an example 13.14 is mentioned. There version number is
5.35DC18. If there exist in reality such samples then of course this is the
last construct because all other characteristic phrases are shifted right and
disappear in front block section.
Next construct in both definitions is like:
<Bytes>207363616E20696E6974696174656420</Bytes>
<ASCII> s c a n i n i t i a t e d</ASCII>
<Pos>11</Pos>
The next 3 XML constructs are triggered by space character separating the day,
month-name and hour digits. That is expressed by constructs like:
<Pattern>
<Bytes>20</Bytes>
<Pos>30</Pos>
</Pattern>
<Pattern>
<Bytes>20</Bytes>
<Pos>34</Pos>
</Pattern>
<Pattern>
<Bytes>20</Bytes>
<Pos>37</Pos>
</Pattern>
The next 2 XML constructs are triggered by colon character separating the
hour, minutes and seconds digits. That is expressed in both definitions by
constructs like:
<Pattern>
<Bytes>3A</Bytes>
<ASCII> :</ASCII>
<Pos>40</Pos>
</Pattern>
<Pattern>
<Bytes>3A</Bytes>
<ASCII> :</ASCII>
<Pos>43</Pos>
</Pattern>
The next XML constructs are triggered by year digits. So all my examples are
generated in twenty century. So that was expressed by constructs like:
<Bytes>20323032</Bytes>
<ASCII> 2 0 2</ASCII>
<Pos>46</Pos>
Assuming that there could exist samples in far past or future the digit will
vanish and only separating space character will survive. So this become like:
<Bytes>20</Bytes>
<ASCII> </ASCII>
<Pos>46</Pos>
The next phrase before naming program name and arguments is expressed in both
definitions by last XML construct like:
<Bytes>2061733A20</Bytes>
<ASCII> a s :</ASCII>
<Pos>51</Pos>
So in front block section both definitions seems to describe the same or
similar format, when neglecting space characters. In both definitions from
first line the same patterns is described inside global strings section by
line like:
<String>SCAN INITIATED</String>
Then i my definition the plural form of port is found. So that is expressed by
line like:
<String>PORTS</String>
Now comes the main difference between the 2 definitions. In mine i got
additional lines like:
<String>HOST</String>
<String>SECONDS</String>
<String>UP) SCANNED IN</String>
<String>NMAP DONE AT</String>
<String>IP ADDRESS</String>
Apparently these are triggered by last line of nmap reports. These can be
shown for example by command like:
tail -1 *.gnmap
which gives output like:
==> 4Gmodem-tcp.gnmap <==
# Nmap done at Sat Jan 13 18:43:06 2024 -- 1 IP address (1 host up) scanned in 249.65 seconds
==> athom-quick-pi.gnmap <==
# Nmap done at Thu Feb 1 13:47:25 2024 -- 1 IP address (1 host up) scanned in 7.00 seconds
==> opendtu-udp.gnmap <==
# Nmap done at Tue Nov 7 00:33:29 2023 -- 1 IP address (1 host up) scanned in 150.83 seconds
==> plug-win-quick.gnmap <==
# Nmap done at Fri Feb 2 02:31:38 2024 -- 1 IP address (1 host up) scanned in 1.31 seconds
==> scanme.nmap.org-.gnmap <==
# Nmap done at Thu Feb 15 15:40:20 2024 -- 1 IP address (1 host up) scanned in 14.17 seconds
==> scanme.nmap.org-2.gnmap <==
# Nmap done at Thu Feb 15 18:41:16 2024 -- 1 IP address (1 host up) scanned in 27.41 seconds
Furthermore log-nmap.trid.xml contain 2 lines like:
<String>NMAP -</String>
<String>STATE</String>
The first lines is apparently triggered by program name followed argument
options which start with minus character. But this only true for UNIX like
systems. On Window systems the program name is followed by .exe and also
enclosed in quote characters. So that in other definition that line vanished.
So i do not know what exactly is described by log-nmap.trid.xml. Maybe it is
older variant.
The samples are apparently text files. So the generic mime type like
text/plain is not wrong for such samples. Many text editors can colorize
output according to keywords known for sub classes of text. So i choose an
used defined sub class of text that is expressed by line like:
<Mime>text/x-gnmap</Mime>
With the new definition all my GNMAP reports are now recognized and described
with correct suffix (see appended trid-v-new.txt in output).
TrID definitions, some samples and output are stored in archive gnmap_.zip. I
hope that my definition can be used in future version of triddefs. As
mentioned there exist other output formats of nmap. I will try to handle these
in a future session.
Later i found the reason for annoying error with wireless connection. If
weather is too bad then produced energy is too low to get enough power for
wireless module.
With best wishes
J?rg Jenderek
