1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
|
--- tcpdump.1.orig Sun Jul 14 19:45:04 1996
+++ tcpdump.1 Mon Sep 14 20:03:37 1998
@@ -20,12 +20,12 @@
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "14 July 1996"
+.TH SMBTCPDUMP 1 "14 July 1996"
.SH NAME
-tcpdump \- dump traffic on a network
+smbtcpdump \- dump traffic on a network (supports SMB related protocols)
.SH SYNOPSIS
.na
-.B tcpdump
+.B smbtcpdump
[
.B \-deflnNOpqStvx
] [
@@ -65,11 +65,20 @@
.ad
.SH DESCRIPTION
.LP
-\fITcpdump\fP prints out the headers of packets on a network interface
-that match the boolean \fIexpression\fP.
+\fIsmbTcpdump\fP prints out the headers of packets on a network interface
+that match the boolean \fIexpression\fP. The easiest way to capture
+SMB related traffic is to envoke
+.I smbtcpdump
+as:
+.in +.5i
+.nf
+\fBsmbtcpdump -s 1500 'port 139 and host foo'\fR
+.fi
+.in -.5i
+.LP
.B Under SunOS with nit or bpf:
To run
-.I tcpdump
+.I smbtcpdump
you must have read access to
.I /dev/net
or
@@ -86,7 +95,7 @@
promiscuous-mode operation using
.IR pfconfig (8),
any user may run
-.BR tcpdump .
+.BR smbtcpdump .
.B Under BSD:
You must have read access to
.IR /dev/bpf* .
@@ -122,7 +131,7 @@
.TP
.B \-i
Listen on \fIinterface\fP.
-If unspecified, \fItcpdump\fP searches the system interface list for the
+If unspecified, \fIsmbtcpdump\fP searches the system interface list for the
lowest numbered, configured up interface (excluding loopback).
Ties are broken by choosing the earliest match.
.TP
@@ -130,15 +139,15 @@
Make stdout line buffered. Useful if you want to see the data
while capturing it. E.g.,
.br
-``tcpdump\ \ \-l\ \ |\ \ tee dat'' or
-``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
+``smbtcpdump\ \ \-l\ \ |\ \ tee dat'' or
+``smbtcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
.TP
.B \-n
Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
.TP
.B \-N
Don't print domain name qualification of host names. E.g.,
-if you give this flag then \fItcpdump\fP will print ``nic''
+if you give this flag then \fIsmbtcpdump\fP will print ``nic''
instead of ``nic.ddn.mil''.
.TP
.B \-O
@@ -430,7 +439,7 @@
[In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), the
protocol identification comes from the 802.2 Logical Link Control
(LLC) header, which is usually layered on top of the FDDI header.
-\fITcpdump\fP assumes, when filtering on the protocol identifier,
+\fIsmbTcpdump\fP assumes, when filtering on the protocol identifier,
that all FDDI packets include an LLC header, and that the LLC header
is in so-called SNAP format.]
.IP "\fBdecnet src \fIhost\fR"
@@ -462,7 +471,7 @@
.in -.5i
where \fIp\fR is one of the above protocols.
Note that
-\fItcpdump\fP does not currently know how to parse these protocols.
+\fIsmbtcpdump\fP does not currently know how to parse these protocols.
.IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR"
Abbreviations for:
.in +.5i
@@ -541,7 +550,7 @@
.fi
.in -.5i
.LP
-Expression arguments can be passed to tcpdump as either a single argument
+Expression arguments can be passed to smbtcpdump as either a single argument
or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
@@ -551,21 +560,21 @@
To print all packets arriving at or departing from \fIsundown\fP:
.RS
.nf
-\fBtcpdump host sundown\fP
+\fBsmbtcpdump host sundown\fP
.fi
.RE
.LP
To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
.RS
.nf
-\fBtcpdump host helios and \\( hot or ace \\)\fP
+\fBsmbtcpdump host helios and \\( hot or ace \\)\fP
.fi
.RE
.LP
To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
.RS
.nf
-\fBtcpdump ip host ace and not helios\fP
+\fBsmbtcpdump ip host ace and not helios\fP
.fi
.RE
.LP
@@ -573,7 +582,7 @@
.RS
.nf
.B
-tcpdump net ucb-ether
+smbtcpdump net ucb-ether
.fi
.RE
.LP
@@ -583,7 +592,7 @@
.RS
.nf
.B
-tcpdump 'gateway snup and (port ftp or ftp-data)'
+smbtcpdump 'gateway snup and (port ftp or ftp-data)'
.fi
.RE
.LP
@@ -593,7 +602,7 @@
.RS
.nf
.B
-tcpdump ip and not net \fIlocalnet\fP
+smbtcpdump ip and not net \fIlocalnet\fP
.fi
.RE
.LP
@@ -602,7 +611,7 @@
.RS
.nf
.B
-tcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP'
+smbtcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP'
.fi
.RE
.LP
@@ -610,7 +619,7 @@
.RS
.nf
.B
-tcpdump 'gateway snup and ip[2:2] > 576'
+smbtcpdump 'gateway snup and ip[2:2] > 576'
.fi
.RE
.LP
@@ -620,7 +629,7 @@
.RS
.nf
.B
-tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
+smbtcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
.fi
.RE
.LP
@@ -629,12 +638,12 @@
.RS
.nf
.B
-tcpdump 'icmp[0] != 8 and icmp[0] != 0"
+smbtcpdump 'icmp[0] != 8 and icmp[0] != 0"
.fi
.RE
.SH OUTPUT FORMAT
.LP
-The output of \fItcpdump\fP is protocol dependent. The following
+The output of \fIsmbtcpdump\fP is protocol dependent. The following
gives a brief description and examples of most of the formats.
.de HD
.sp 1.5
@@ -647,7 +656,7 @@
On ethernets, the source and destination addresses, protocol,
and packet length are printed.
.LP
-On FDDI networks, the '-e' option causes \fItcpdump\fP to print
+On FDDI networks, the '-e' option causes \fIsmbtcpdump\fP to print
the `frame control' field, the source and destination addresses,
and the packet length. (The `frame control' field governs the
interpretation of the rest of the packet. Normal packets (such
@@ -707,7 +716,7 @@
replies with its ethernet address (in this example, ethernet addresses
are in caps and internet addresses in lower case).
.LP
-This would look less redundant if we had done \fBtcpdump \-n\fP:
+This would look less redundant if we had done \fBsmbtcpdump \-n\fP:
.RS
.nf
.sp .5
@@ -716,7 +725,7 @@
.fi
.RE
.LP
-If we had done \fBtcpdump \-e\fP, the fact that the first packet is
+If we had done \fBsmbtcpdump \-e\fP, the fact that the first packet is
broadcast and the second is point-to-point would be visible:
.RS
.nf
@@ -734,7 +743,7 @@
.LP
\fI(N.B.:The following description assumes familiarity with
the TCP protocol described in RFC-793. If you are not familiar
-with the protocol, neither this description nor tcpdump will
+with the protocol, neither this description nor smbtcpdump will
be of much use to you.)\fP
.LP
The general format of a tcp protocol line is:
@@ -794,7 +803,7 @@
flags were set.
The packet contained no data so there is no data sequence number.
Note that the ack sequence
-number is a small integer (1). The first time \fBtcpdump\fP sees a
+number is a small integer (1). The first time \fBsmbtcpdump\fP sees a
tcp `conversation', it prints the sequence number from the packet.
On subsequent packets of the conversation, the difference between
the current packet's sequence number and this initial sequence number
@@ -982,7 +991,7 @@
NFS traffic.
.LP
NFS reply packets do not explicitly identify the RPC operation. Instead,
-\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
+\fIsmbtcpdump\fP keeps track of ``recent'' requests, and matches them to the
replies using the transaction ID. If a reply does not closely follow the
corresponding request, it might not be parsable.
.HD
@@ -1170,12 +1179,13 @@
Steven McCanne (mccanne@ee.lbl.gov), all of the
Lawrence Berkeley Laboratory, University of California, Berkeley, CA.
.SH BUGS
-Please send bug reports to tcpdump@ee.lbl.gov or libpcap@ee.lbl.gov.
+This is a modified version of tcpdump. Please do not bother the tcpdump
+authors with bug reports.
.LP
NIT doesn't let you watch your own outbound traffic, BPF will.
We recommend that you use the latter.
.LP
-\fItcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel
+\fIsmbtcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel
has to have been built with the \fIpacketfilter\fP pseudo-device driver
(see
.IR packetfilter (4)).
@@ -1190,7 +1200,7 @@
you're monitoring a busy network.
.LP
On Sun systems prior to release 3.2, NIT is very buggy.
-If run on an old system, tcpdump may crash the machine.
+If run on an old system, smbtcpdump may crash the machine.
.LP
Some attempt should be made to reassemble IP fragments or, at least
to compute the right length for the higher level protocol.
@@ -1198,7 +1208,7 @@
Name server inverse queries are not dumped correctly: The (empty)
question section is printed rather than real query in the answer
section. Some believe that inverse queries are themselves a bug and
-prefer to fix the program generating them rather than tcpdump.
+prefer to fix the program generating them rather than smbtcpdump.
.LP
Apple Ethertalk DDP packets could be dumped as easily as KIP DDP
packets but aren't.
|
