blob: 952f72b1bb9d8fb5238fa72e52589d15fcb627fb (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
tcpdump(1) hacked to better understand SMB packets.
smbtcpdump gives the ability to interpret NBT and SMB packets in a fair bit
of detail.
To capture all SMB packets going to or from host "fred" try this:
tcpdump -s 1500 'port 139 and host fred'
If you want name resolution or browse packets then try ports 137 and
138 respectively:
tcpdump -s 1500 '(port 139 or 138 or 137) and host fred'
Example Output:
Here is a sample of a capture of a "SMBsearch" directory search. If
you don't get output that looks like this then smbtcpdump is not working
correctly.
NBT Session Packet
Flags=0x0
Length=57
SMB PACKET: SMBsearch (REQUEST)
SMB Command = 0x81
Error class = 0x0
Error code = 0
Flags1 = 0x8
Flags2 = 0x3
Tree ID = 2048
Proc ID = 11787
UID = 2048
MID = 11887
Word Count = 2
smbvwv[]=
Count=98
Attrib=HIDDEN SYSTEM DIR
smbbuf[]=
Path=\????????.???
BlkType=0x5
BlkLen=0
|