path: root/net/smbtcpdump/pkg-descr



tcpdump(1) hacked to better understand SMB packets. 
smbtcpdump gives the ability to interpret NBT and SMB packets in a fair bit
of detail.

To capture all SMB packets going to or from host "fred" try this:

	tcpdump -s 1500 'port 139 and host fred'

If you want name resolution or browse packets then try ports 137 and
138 respectively:

	tcpdump -s 1500 '(port 139 or 138 or 137) and host fred'

Example Output:

Here is a sample of a capture of a "SMBsearch" directory search. If
you don't get output that looks like this then smbtcpdump is not working
correctly.

NBT Session Packet
Flags=0x0
Length=57

SMB PACKET: SMBsearch (REQUEST)
SMB Command   =  0x81
Error class   =  0x0
Error code    =  0
Flags1        =  0x8
Flags2        =  0x3
Tree ID       =  2048
Proc ID       =  11787
UID           =  2048
MID           =  11887
Word Count    =  2
smbvwv[]=
Count=98
Attrib=HIDDEN SYSTEM DIR 
smbbuf[]=
Path=\????????.???
BlkType=0x5
BlkLen=0
tcpdump(1) hacked to better understand SMB packets. 
smbtcpdump gives the ability to interpret NBT and SMB packets in a fair bit
of detail.

To capture all SMB packets going to or from host "fred" try this:

	tcpdump -s 1500 'port 139 and host fred'

If you want name resolution or browse packets then try ports 137 and
138 respectively:

	tcpdump -s 1500 '(port 139 or 138 or 137) and host fred'

Example Output:

Here is a sample of a capture of a "SMBsearch" directory search. If
you don't get output that looks like this then smbtcpdump is not working
correctly.

NBT Session Packet
Flags=0x0
Length=57

SMB PACKET: SMBsearch (REQUEST)
SMB Command   =  0x81
Error class   =  0x0
Error code    =  0
Flags1        =  0x8
Flags2        =  0x3
Tree ID       =  2048
Proc ID       =  11787
UID           =  2048
MID           =  11887
Word Count    =  2
smbvwv[]=
Count=98
Attrib=HIDDEN SYSTEM DIR 
smbbuf[]=
Path=\????????.???
BlkType=0x5
BlkLen=0