readme.smb

This directory contains source code for tcpdump, a tool for network monitoring and data acquisition

This is set of patches to tcpdump-3.2.1 that gives it the ability to
interpret NBT and SMB packets in a fair bit of detail.

Please send any feedback to Andrew.Tridgell@anu.edu.au

Usage:

To capture all SMB packets going to or from host "fred" try this:

tcpdump -i eth0 -s 1500 port 139 host fred

If you want name resolution or browse packets then try ports 137 and
138 respectively.

change log:
       0.2: added name server and browse stuff
       0.3: added IPX and Netbeui support

Example Output:

Here is a sample of a capture of a "SMBsearch" directory search. If
you don't get output that looks like this then you have patched
tcpdump incorrectly.

NBT Session Packet
Flags=0x0
Length=57

SMB PACKET: SMBsearch (REQUEST)
SMB Command   =  0x81
Error class   =  0x0
Error code    =  0
Flags1        =  0x8
Flags2        =  0x3
Tree ID       =  2048
Proc ID       =  11787
UID           =  2048
MID           =  11887
Word Count    =  2
smbvwv[]=
Count=98
Attrib=HIDDEN SYSTEM DIR
smbbuf[]=
Path=\????????.???
BlkType=0x5
BlkLen=0