aboutsummaryrefslogtreecommitdiffstats
path: root/net/smbtcpdump/pkg-descr
blob: 952f72b1bb9d8fb5238fa72e52589d15fcb627fb (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
tcpdump(1) hacked to better understand SMB packets. 
smbtcpdump gives the ability to interpret NBT and SMB packets in a fair bit
of detail.

To capture all SMB packets going to or from host "fred" try this:

    tcpdump -s 1500 'port 139 and host fred'

If you want name resolution or browse packets then try ports 137 and
138 respectively:

    tcpdump -s 1500 '(port 139 or 138 or 137) and host fred'

Example Output:

Here is a sample of a capture of a "SMBsearch" directory search. If
you don't get output that looks like this then smbtcpdump is not working
correctly.

NBT Session Packet
Flags=0x0
Length=57

SMB PACKET: SMBsearch (REQUEST)
SMB Command   =  0x81
Error class   =  0x0
Error code    =  0
Flags1        =  0x8
Flags2        =  0x3
Tree ID       =  2048
Proc ID       =  11787
UID           =  2048
MID           =  11887
Word Count    =  2
smbvwv[]=
Count=98
Attrib=HIDDEN SYSTEM DIR 
smbbuf[]=
Path=\????????.???
BlkType=0x5
BlkLen=0