Ethereal-users: RE: [Ethereal-users] Filter Files
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Richard Urwin <RUrwin@xxxxxxxxxxxxxx>
Date: Thu, 20 Feb 2003 16:06:28 -0000
It looks like this: see enclosure So the Display Filter: smb.cmd == 0xd0 should do the trick. (You probably can not do it with capture filters.) -- Richard Urwin, Private "No 9000 series computer has ever made a mitsake or corrubiteddatatato." > -----Edited Original Message----- > From: mark.haslam@xxxxxxxx [mailto:mark.haslam@xxxxxxxx] > But are there any resources that will allow me to capture > data from Server > Message Block Protocol or related ports. > The reason for this is I am trying to find a way to capture > any user on my > comp LAN sending NETSend messages across the network. ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________
Frame 563 (99 bytes on wire, 99 bytes captured)
Arrival Time: Feb 20, 2003 15:58:57.856536000
Time delta from previous packet: 0.000000000 seconds
Time relative to first packet: 36.047050000 seconds
Frame Number: 563
Packet Length: 99 bytes
Capture Length: 99 bytes
IEEE 802.3 Ethernet
Destination: 00:60:97:c8:21:fa (3Com_c8:21:fa)
Source: 00:50:da:43:d0:f4 (INANA)
Length: 85
Logical-Link Control
DSAP: NetBIOS (0xf0)
IG Bit: Individual
SSAP: NetBIOS (0xf0)
CR Bit: Command
Control field: I, N(R) = 1, N(S) = 1 (0x0202)
0000 001. .... .... = N(R) = 1
.... .... 0000 001. = N(S) = 1
.... .... .... ...0 = Information frame
NetBIOS
Length: 14 bytes
Delimiter: EFFF (NetBIOS)
Command: Data Only Last (0x16)
Flags: 0x04
.... 0... = Acknowledge: Not set
.... .1.. = Acknowledge with data: Allowed
.... ..0. = Acknowledge expected: No
Re-sync indicator: No re-sync
Transmit Correlator: 0x0000
Response Correlator: 0x0001
Remote Session No.: 0x06
Local Session No.: 0x0f
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Send Single Block Message (0xd0)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 0... = Case Sensitivity: Path names are case sensitive
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0x0000
0... .... .... .... = Unicode Strings: Strings are ASCII
.0.. .... .... .... = Error Code Type: Error codes are DOS error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .0.. = Security Signatures: Security signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are not supported
.... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response
Reserved: 000000000000000000000000
Tree ID: 0
Process ID: 0
User ID: 0
Multiplex ID: 0
Send Single Block Message Request (0xd0)
Word Count (WCT): 0
Byte Count (BCC): 32
Buffer Format: ASCII (4)
Originator Name: INANA
Buffer Format: ASCII (4)
Destination Name: RIMMER
Buffer Format: Data Block (1)
Message Len: 14
Message: test test test
Frame 565 (99 bytes on wire, 99 bytes captured)
Arrival Time: Feb 20, 2003 15:58:57.856946000
Time delta from previous packet: 0.000410000 seconds
Time relative to first packet: 36.047460000 seconds
Frame Number: 565
Packet Length: 99 bytes
Capture Length: 99 bytes
IEEE 802.3 Ethernet
Destination: 00:60:97:c8:21:fa (3Com_c8:21:fa)
Source: 00:50:da:43:d0:f4 (INANA)
Length: 85
Logical-Link Control
DSAP: NetBIOS (0xf0)
IG Bit: Individual
SSAP: NetBIOS (0xf0)
CR Bit: Command
Control field: I, N(R) = 2, N(S) = 2 (0x0404)
0000 010. .... .... = N(R) = 2
.... .... 0000 010. = N(S) = 2
.... .... .... ...0 = Information frame
NetBIOS
Length: 14 bytes
Delimiter: EFFF (NetBIOS)
Command: Data Only Last (0x16)
Flags: 0x00
.... 0... = Acknowledge: Not set
.... .0.. = Acknowledge with data: Not allowrd
.... ..0. = Acknowledge expected: No
Re-sync indicator: First 'DATA ONLY LAST' following 'Receive Outstanding'
Transmit Correlator: 0x0000
Response Correlator: 0x0001
Remote Session No.: 0x06
Local Session No.: 0x0f
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Send Single Block Message (0xd0)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 0... = Case Sensitivity: Path names are case sensitive
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0x0000
0... .... .... .... = Unicode Strings: Strings are ASCII
.0.. .... .... .... = Error Code Type: Error codes are DOS error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .0.. = Security Signatures: Security signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are not supported
.... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response
Reserved: 000000000000000000000000
Tree ID: 0
Process ID: 0
User ID: 0
Multiplex ID: 0
Send Single Block Message Request (0xd0)
Word Count (WCT): 0
Byte Count (BCC): 32
Buffer Format: ASCII (4)
Originator Name: INANA
Buffer Format: ASCII (4)
Destination Name: RIMMER
Buffer Format: Data Block (1)
Message Len: 14
Message: test test test
Frame 572 (67 bytes on wire, 67 bytes captured)
Arrival Time: Feb 20, 2003 15:58:57.906770000
Time delta from previous packet: 0.049824000 seconds
Time relative to first packet: 36.097284000 seconds
Frame Number: 572
Packet Length: 67 bytes
Capture Length: 67 bytes
IEEE 802.3 Ethernet
Destination: 00:50:da:43:d0:f4 (INANA)
Source: 00:60:97:c8:21:fa (3Com_c8:21:fa)
Length: 53
Logical-Link Control
DSAP: NetBIOS (0xf0)
IG Bit: Individual
SSAP: NetBIOS (0xf0)
CR Bit: Command
Control field: I, N(R) = 3, N(S) = 3 (0x0606)
0000 011. .... .... = N(R) = 3
.... .... 0000 011. = N(S) = 3
.... .... .... ...0 = Information frame
NetBIOS
Length: 14 bytes
Delimiter: EFFF (NetBIOS)
Command: Data Only Last (0x16)
Flags: 0x04
.... 0... = Acknowledge: Not set
.... .1.. = Acknowledge with data: Allowed
.... ..0. = Acknowledge expected: No
Re-sync indicator: No re-sync
Transmit Correlator: 0x0000
Response Correlator: 0x0001
Remote Session No.: 0x0f
Local Session No.: 0x06
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Send Single Block Message (0xd0)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
.... 0... = Case Sensitivity: Path names are case sensitive
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0x0000
0... .... .... .... = Unicode Strings: Strings are ASCII
.0.. .... .... .... = Error Code Type: Error codes are DOS error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... .... .0.. = Security Signatures: Security signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended attributes are not supported
.... .... .... ...0 = Long Names Allowed: Long file names are not allowed in the response
Reserved: 000000000000000000000000
Tree ID: 0
Process ID: 0
User ID: 0
Multiplex ID: 0
Send Single Block Message Request (0xd0)
Word Count (WCT): 0
Byte Count (BCC): 0
- Follow-Ups:
- Re: [Ethereal-users] Filter Files
- From: Guy Harris
- Re: [Ethereal-users] Filter Files
- Prev by Date: [Ethereal-users] Filter Files
- Next by Date: [Ethereal-users] RE: [Ethereal-dev] capturing 802.11 data packets
- Previous by thread: Re: [Ethereal-users] Filter Files
- Next by thread: Re: [Ethereal-users] Filter Files
- Index(es):
