1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
|
--- tcpdump.1.orig Mon Jun 30 16:32:09 1997
+++ tcpdump.1 Wed Jan 6 13:23:11 1999
@@ -20,12 +20,12 @@
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "30 June 1997"
+.TH SMBTCPDUMP 1 "30 June 1997"
.SH NAME
-tcpdump \- dump traffic on a network
+smbtcpdump \- dump traffic on a network (supports SMB related protocols)
.SH SYNOPSIS
.na
-.B tcpdump
+.B smbtcpdump
[
.B \-adeflnNOpqStvx
] [
@@ -65,12 +65,20 @@
.ad
.SH DESCRIPTION
.LP
-\fITcpdump\fP prints out the headers of packets on a network interface
-that match the boolean \fIexpression\fP.
+\fIsmbTcpdump\fP prints out the headers of packets on a network interface
+that match the boolean \fIexpression\fP. The easiest way to capture
+SMB related traffic is to envoke
+.I smbtcpdump
+as:
+.in +.5i
+.nf
+\fBsmbtcpdump -s 1500 'port 139 and host foo'\fR
+.fi
+.in -.5i
.LP
.B Under SunOS with nit or bpf:
To run
-.I tcpdump
+.I smbtcpdump
you must have read access to
.I /dev/nit
or
@@ -88,7 +96,7 @@
Once the super-user has enabled promiscuous-mode operation using
.IR pfconfig (8),
any user may run
-.BR tcpdump .
+.BR smbtcpdump .
.B Under BSD:
You must have read access to
.IR /dev/bpf* .
@@ -127,7 +135,7 @@
.TP
.B \-i
Listen on \fIinterface\fP.
-If unspecified, \fItcpdump\fP searches the system interface list for the
+If unspecified, \fIsmbtcpdump\fP searches the system interface list for the
lowest numbered, configured up interface (excluding loopback).
Ties are broken by choosing the earliest match.
.TP
@@ -135,15 +143,15 @@
Make stdout line buffered. Useful if you want to see the data
while capturing it. E.g.,
.br
-``tcpdump\ \ \-l\ \ |\ \ tee dat'' or
-``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
+``smbtcpdump\ \ \-l\ \ |\ \ tee dat'' or
+``smbtcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
.TP
.B \-n
Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
.TP
.B \-N
Don't print domain name qualification of host names. E.g.,
-if you give this flag then \fItcpdump\fP will print ``nic''
+if you give this flag then \fIsmbtcpdump\fP will print ``nic''
instead of ``nic.ddn.mil''.
.TP
.B \-O
@@ -467,7 +475,7 @@
.in -.5i
where \fIp\fR is one of the above protocols.
Note that
-\fItcpdump\fP does not currently know how to parse these protocols.
+\fIsmbtcpdump\fP does not currently know how to parse these protocols.
.IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR"
Abbreviations for:
.in +.5i
@@ -546,7 +554,7 @@
.fi
.in -.5i
.LP
-Expression arguments can be passed to tcpdump as either a single argument
+Expression arguments can be passed to smbtcpdump as either a single argument
or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
@@ -556,21 +564,21 @@
To print all packets arriving at or departing from \fIsundown\fP:
.RS
.nf
-\fBtcpdump host sundown\fP
+\fBsmbtcpdump host sundown\fP
.fi
.RE
.LP
To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
.RS
.nf
-\fBtcpdump host helios and \\( hot or ace \\)\fP
+\fBsmbtcpdump host helios and \\( hot or ace \\)\fP
.fi
.RE
.LP
To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
.RS
.nf
-\fBtcpdump ip host ace and not helios\fP
+\fBsmbtcpdump ip host ace and not helios\fP
.fi
.RE
.LP
@@ -578,7 +586,7 @@
.RS
.nf
.B
-tcpdump net ucb-ether
+smbtcpdump net ucb-ether
.fi
.RE
.LP
@@ -588,7 +596,7 @@
.RS
.nf
.B
-tcpdump 'gateway snup and (port ftp or ftp-data)'
+smbtcpdump 'gateway snup and (port ftp or ftp-data)'
.fi
.RE
.LP
@@ -598,7 +606,7 @@
.RS
.nf
.B
-tcpdump ip and not net \fIlocalnet\fP
+smbtcpdump ip and not net \fIlocalnet\fP
.fi
.RE
.LP
@@ -607,7 +615,7 @@
.RS
.nf
.B
-tcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP'
+smbtcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP'
.fi
.RE
.LP
@@ -615,7 +623,7 @@
.RS
.nf
.B
-tcpdump 'gateway snup and ip[2:2] > 576'
+smbtcpdump 'gateway snup and ip[2:2] > 576'
.fi
.RE
.LP
@@ -625,7 +633,7 @@
.RS
.nf
.B
-tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
+smbtcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
.fi
.RE
.LP
@@ -634,12 +642,12 @@
.RS
.nf
.B
-tcpdump 'icmp[0] != 8 and icmp[0] != 0"
+smbtcpdump 'icmp[0] != 8 and icmp[0] != 0"
.fi
.RE
.SH OUTPUT FORMAT
.LP
-The output of \fItcpdump\fP is protocol dependent. The following
+The output of \fIsmbtcpdump\fP is protocol dependent. The following
gives a brief description and examples of most of the formats.
.de HD
.sp 1.5
@@ -652,7 +660,7 @@
On ethernets, the source and destination addresses, protocol,
and packet length are printed.
.LP
-On FDDI networks, the '-e' option causes \fItcpdump\fP to print
+On FDDI networks, the '-e' option causes \fIsmbtcpdump\fP to print
the `frame control' field, the source and destination addresses,
and the packet length. (The `frame control' field governs the
interpretation of the rest of the packet. Normal packets (such
@@ -712,7 +720,7 @@
replies with its ethernet address (in this example, ethernet addresses
are in caps and internet addresses in lower case).
.LP
-This would look less redundant if we had done \fBtcpdump \-n\fP:
+This would look less redundant if we had done \fBsmbtcpdump \-n\fP:
.RS
.nf
.sp .5
@@ -721,7 +729,7 @@
.fi
.RE
.LP
-If we had done \fBtcpdump \-e\fP, the fact that the first packet is
+If we had done \fBsmbtcpdump \-e\fP, the fact that the first packet is
broadcast and the second is point-to-point would be visible:
.RS
.nf
@@ -739,7 +747,7 @@
.LP
\fI(N.B.:The following description assumes familiarity with
the TCP protocol described in RFC-793. If you are not familiar
-with the protocol, neither this description nor tcpdump will
+with the protocol, neither this description nor smbtcpdump will
be of much use to you.)\fP
.LP
The general format of a tcp protocol line is:
@@ -799,7 +807,7 @@
flags were set.
The packet contained no data so there is no data sequence number.
Note that the ack sequence
-number is a small integer (1). The first time \fBtcpdump\fP sees a
+number is a small integer (1). The first time \fBsmbtcpdump\fP sees a
tcp `conversation', it prints the sequence number from the packet.
On subsequent packets of the conversation, the difference between
the current packet's sequence number and this initial sequence number
@@ -819,15 +827,15 @@
On the 8th and 9th lines,
csam sends two bytes of urgent, pushed data to rtsg.
.LP
-If the snapshot was small enough that \fBtcpdump\fP didn't capture
+If the snapshot was small enough that \fBsmbtcpdump\fP didn't capture
the full TCP header, it interprets as much of the header as it can
and then reports ``[|\fItcp\fP]'' to indicate the remainder could not
be interpreted. If the header contains a bogus option (one with a length
-that's either too small or beyond the end of the header), tcpdump reports
+that's either too small or beyond the end of the header), smbtcpdump reports
it as ``[\fIbad opt\fP]'' and does not interpret any further options (since
it's impossible to tell where they start). If the header length indicates
options are present but the IP datagram length is not long enough for the
-options to actually be there, tcpdump reports it as ``[\fIbad hdr length\fP]''.
+options to actually be there, smbtcpdump reports it as ``[\fIbad hdr length\fP]''.
.HD
.B
UDP Packets
@@ -997,7 +1005,7 @@
NFS traffic.
.LP
NFS reply packets do not explicitly identify the RPC operation. Instead,
-\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
+\fIsmbtcpdump\fP keeps track of ``recent'' requests, and matches them to the
replies using the transaction ID. If a reply does not closely follow the
corresponding request, it might not be parsable.
.HD
@@ -1178,7 +1186,7 @@
ethernet interface removed the packet from the wire and when the kernel
serviced the `new packet' interrupt.
.SH "SEE ALSO"
-traffic(1C), nit(4P), bpf(4), pcap(3)
+tcpdump(1), traffic(1C), nit(4P), bpf(4), pcap(3)
.SH AUTHORS
Van Jacobson,
Craig Leres and
@@ -1202,7 +1210,7 @@
Name server inverse queries are not dumped correctly: The (empty)
question section is printed rather than real query in the answer
section. Some believe that inverse queries are themselves a bug and
-prefer to fix the program generating them rather than tcpdump.
+prefer to fix the program generating them rather than smbtcpdump.
.LP
Apple Ethertalk DDP packets could be dumped as easily as KIP DDP
packets but aren't.
|
