Ethereal-users: Re: [Ethereal-users] Filter Files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 21 Feb 2003 13:28:45 -0800
On Thu, Feb 20, 2003 at 04:06:28PM -0000, Richard Urwin wrote:
> So the Display Filter: smb.cmd == 0xd0
> should do the trick.
> (You probably can not do it with capture filters.)

Not easily, anyway, and probably not reliably.

You can use the capture filter in my previous message to capture only
NetBIOS-over-TCP and CIFS-over-TCP traffic, and then filter the
resulting traffic looking for Send Message SMBs.

For NetBIOS-over-NBF (which is what you have in your capture), libpcap
0.7 and later let you use a capture filter of "netbeui" to capture that
traffic (unfortunately, WinPcap 2.3 is based on 0.6.2, which didn't
support "netbeui", but the 3.0 beta is based on current CVS and should
support it).