Update the documenation (DESCR and manpage) a little.

2 files changed, 292 insertions, 2 deletions

diff --git a/net/smbtcpdump/files/patch-01 b/net/smbtcpdump/files/patch-01
new file mode 100644
index 000000000000..4664794b21cb
--- /dev/null
+++ b/net/smbtcpdump/files/patch-01
@@ -0,0 +1,288 @@
+--- tcpdump.1.orig	Sun Jul 14 19:45:04 1996
++++ tcpdump.1	Mon Sep 14 20:03:37 1998
+@@ -20,12 +20,12 @@
+ .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ .\"
+-.TH TCPDUMP 1  "14 July 1996"
++.TH SMBTCPDUMP 1  "14 July 1996"
+ .SH NAME
+-tcpdump \- dump traffic on a network
++smbtcpdump \- dump traffic on a network (supports SMB related protocols)
+ .SH SYNOPSIS
+ .na
+-.B tcpdump
++.B smbtcpdump
+ [
+ .B \-deflnNOpqStvx
+ ] [
+@@ -65,11 +65,20 @@
+ .ad
+ .SH DESCRIPTION
+ .LP
+-\fITcpdump\fP prints out the headers of packets on a network interface
+-that match the boolean \fIexpression\fP.
++\fIsmbTcpdump\fP prints out the headers of packets on a network interface
++that match the boolean \fIexpression\fP.  The easiest way to capture
++SMB related traffic is to envoke 
++.I smbtcpdump
++as:
++.in +.5i
++.nf
++\fBsmbtcpdump -s 1500 'port 139 and host foo'\fR
++.fi
++.in -.5i
++.LP
+ .B Under SunOS with nit or bpf:
+ To run
+-.I tcpdump
++.I smbtcpdump
+ you must have read access to
+ .I /dev/net
+ or
+@@ -86,7 +95,7 @@
+ promiscuous-mode operation using
+ .IR pfconfig (8),
+ any user may run
+-.BR tcpdump .
++.BR smbtcpdump .
+ .B Under BSD:
+ You must have read access to
+ .IR /dev/bpf* .
+@@ -122,7 +131,7 @@
+ .TP
+ .B \-i
+ Listen on \fIinterface\fP.
+-If unspecified, \fItcpdump\fP searches the system interface list for the
++If unspecified, \fIsmbtcpdump\fP searches the system interface list for the
+ lowest numbered, configured up interface (excluding loopback).
+ Ties are broken by choosing the earliest match.
+ .TP
+@@ -130,15 +139,15 @@
+ Make stdout line buffered.  Useful if you want to see the data
+ while capturing it.  E.g.,
+ .br
+-``tcpdump\ \ \-l\ \ |\ \ tee dat'' or
+-``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
++``smbtcpdump\ \ \-l\ \ |\ \ tee dat'' or
++``smbtcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
+ .TP
+ .B \-n
+ Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
+ .TP
+ .B \-N
+ Don't print domain name qualification of host names.  E.g.,
+-if you give this flag then \fItcpdump\fP will print ``nic''
++if you give this flag then \fIsmbtcpdump\fP will print ``nic''
+ instead of ``nic.ddn.mil''.
+ .TP
+ .B \-O
+@@ -430,7 +439,7 @@
+ [In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), the
+ protocol identification comes from the 802.2 Logical Link Control
+ (LLC) header, which is usually layered on top of the FDDI header.
+-\fITcpdump\fP assumes, when filtering on the protocol identifier,
++\fIsmbTcpdump\fP assumes, when filtering on the protocol identifier,
+ that all FDDI packets include an LLC header, and that the LLC header
+ is in so-called SNAP format.]
+ .IP "\fBdecnet src \fIhost\fR"
+@@ -462,7 +471,7 @@
+ .in -.5i
+ where \fIp\fR is one of the above protocols.
+ Note that
+-\fItcpdump\fP does not currently know how to parse these protocols.
++\fIsmbtcpdump\fP does not currently know how to parse these protocols.
+ .IP  "\fBtcp\fR, \fBudp\fR, \fBicmp\fR"
+ Abbreviations for:
+ .in +.5i
+@@ -541,7 +550,7 @@
+ .fi
+ .in -.5i
+ .LP
+-Expression arguments can be passed to tcpdump as either a single argument
++Expression arguments can be passed to smbtcpdump as either a single argument
+ or as multiple arguments, whichever is more convenient.
+ Generally, if the expression contains Shell metacharacters, it is
+ easier to pass it as a single, quoted argument.
+@@ -551,21 +560,21 @@
+ To print all packets arriving at or departing from \fIsundown\fP:
+ .RS
+ .nf
+-\fBtcpdump host sundown\fP
++\fBsmbtcpdump host sundown\fP
+ .fi
+ .RE
+ .LP
+ To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
+ .RS
+ .nf
+-\fBtcpdump host helios and \\( hot or ace \\)\fP
++\fBsmbtcpdump host helios and \\( hot or ace \\)\fP
+ .fi
+ .RE
+ .LP
+ To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
+ .RS
+ .nf
+-\fBtcpdump ip host ace and not helios\fP
++\fBsmbtcpdump ip host ace and not helios\fP
+ .fi
+ .RE
+ .LP
+@@ -573,7 +582,7 @@
+ .RS
+ .nf
+ .B
+-tcpdump net ucb-ether
++smbtcpdump net ucb-ether
+ .fi
+ .RE
+ .LP
+@@ -583,7 +592,7 @@
+ .RS
+ .nf
+ .B
+-tcpdump 'gateway snup and (port ftp or ftp-data)'
++smbtcpdump 'gateway snup and (port ftp or ftp-data)'
+ .fi
+ .RE
+ .LP
+@@ -593,7 +602,7 @@
+ .RS
+ .nf
+ .B
+-tcpdump ip and not net \fIlocalnet\fP
++smbtcpdump ip and not net \fIlocalnet\fP
+ .fi
+ .RE
+ .LP
+@@ -602,7 +611,7 @@
+ .RS
+ .nf
+ .B
+-tcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP'
++smbtcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP'
+ .fi
+ .RE
+ .LP
+@@ -610,7 +619,7 @@
+ .RS
+ .nf
+ .B
+-tcpdump 'gateway snup and ip[2:2] > 576'
++smbtcpdump 'gateway snup and ip[2:2] > 576'
+ .fi
+ .RE
+ .LP
+@@ -620,7 +629,7 @@
+ .RS
+ .nf
+ .B
+-tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
++smbtcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
+ .fi
+ .RE
+ .LP
+@@ -629,12 +638,12 @@
+ .RS
+ .nf
+ .B
+-tcpdump 'icmp[0] != 8 and icmp[0] != 0"
++smbtcpdump 'icmp[0] != 8 and icmp[0] != 0"
+ .fi
+ .RE
+ .SH OUTPUT FORMAT
+ .LP
+-The output of \fItcpdump\fP is protocol dependent.  The following
++The output of \fIsmbtcpdump\fP is protocol dependent.  The following
+ gives a brief description and examples of most of the formats.
+ .de HD
+ .sp 1.5
+@@ -647,7 +656,7 @@
+ On ethernets, the source and destination addresses, protocol,
+ and packet length are printed.
+ .LP
+-On FDDI networks, the  '-e' option causes \fItcpdump\fP to print
++On FDDI networks, the  '-e' option causes \fIsmbtcpdump\fP to print
+ the `frame control' field,  the source and destination addresses,
+ and the packet length.  (The `frame control' field governs the
+ interpretation of the rest of the packet.  Normal packets (such
+@@ -707,7 +716,7 @@
+ replies with its ethernet address (in this example, ethernet addresses
+ are in caps and internet addresses in lower case).
+ .LP
+-This would look less redundant if we had done \fBtcpdump \-n\fP:
++This would look less redundant if we had done \fBsmbtcpdump \-n\fP:
+ .RS
+ .nf
+ .sp .5
+@@ -716,7 +725,7 @@
+ .fi
+ .RE
+ .LP
+-If we had done \fBtcpdump \-e\fP, the fact that the first packet is
++If we had done \fBsmbtcpdump \-e\fP, the fact that the first packet is
+ broadcast and the second is point-to-point would be visible:
+ .RS
+ .nf
+@@ -734,7 +743,7 @@
+ .LP
+ \fI(N.B.:The following description assumes familiarity with
+ the TCP protocol described in RFC-793.  If you are not familiar
+-with the protocol, neither this description nor tcpdump will
++with the protocol, neither this description nor smbtcpdump will
+ be of much use to you.)\fP
+ .LP
+ The general format of a tcp protocol line is:
+@@ -794,7 +803,7 @@
+ flags were set.
+ The packet contained no data so there is no data sequence number.
+ Note that the ack sequence
+-number is a small integer (1).  The first time \fBtcpdump\fP sees a
++number is a small integer (1).  The first time \fBsmbtcpdump\fP sees a
+ tcp `conversation', it prints the sequence number from the packet.
+ On subsequent packets of the conversation, the difference between
+ the current packet's sequence number and this initial sequence number
+@@ -982,7 +991,7 @@
+ NFS traffic.
+ .LP
+ NFS reply packets do not explicitly identify the RPC operation.  Instead,
+-\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
++\fIsmbtcpdump\fP keeps track of ``recent'' requests, and matches them to the
+ replies using the transaction ID.  If a reply does not closely follow the
+ corresponding request, it might not be parsable.
+ .HD
+@@ -1170,12 +1179,13 @@
+ Steven McCanne (mccanne@ee.lbl.gov), all of the
+ Lawrence Berkeley Laboratory, University of California, Berkeley, CA.
+ .SH BUGS
+-Please send bug reports to tcpdump@ee.lbl.gov or libpcap@ee.lbl.gov.
++This is a modified version of tcpdump.  Please do not bother the tcpdump
++authors with bug reports.
+ .LP
+ NIT doesn't let you watch your own outbound traffic, BPF will.
+ We recommend that you use the latter.
+ .LP
+-\fItcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel
++\fIsmbtcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel
+ has to have been built with the \fIpacketfilter\fP pseudo-device driver
+ (see
+ .IR packetfilter (4)).
+@@ -1190,7 +1200,7 @@
+ you're monitoring a busy network.
+ .LP
+ On Sun systems prior to release 3.2, NIT is very buggy.
+-If run on an old system, tcpdump may crash the machine.
++If run on an old system, smbtcpdump may crash the machine.
+ .LP
+ Some attempt should be made to reassemble IP fragments or, at least
+ to compute the right length for the higher level protocol.
+@@ -1198,7 +1208,7 @@
+ Name server inverse queries are not dumped correctly: The (empty)
+ question section is printed rather than real query in the answer
+ section.  Some believe that inverse queries are themselves a bug and
+-prefer to fix the program generating them rather than tcpdump.
++prefer to fix the program generating them rather than smbtcpdump.
+ .LP
+ Apple Ethertalk DDP packets could be dumped as easily as KIP DDP
+ packets but aren't.
diff --git a/net/smbtcpdump/pkg-descr b/net/smbtcpdump/pkg-descr
index b860b5b897c2..952f72b1bb9d 100644
--- a/net/smbtcpdump/pkg-descr
+++ b/net/smbtcpdump/pkg-descr
@@ -4,10 +4,12 @@ of detail.
 
 To capture all SMB packets going to or from host "fred" try this:
 
-	tcpdump -i eth0 -s 1500 port 139 host fred
+	tcpdump -s 1500 'port 139 and host fred'
 
 If you want name resolution or browse packets then try ports 137 and
-138 respectively.
+138 respectively:
+
+	tcpdump -s 1500 '(port 139 or 138 or 137) and host fred'
 
 Example Output: