Wireshark · Ethereal-users: Re: [Ethereal-users] Capture Filter SNMP & Messenger

Ethereal-users: Re: [Ethereal-users] Capture Filter SNMP & Messenger

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Al Stu" <AHStubbl@xxxxxxxxxxx>

Date: Wed, 20 Apr 2005 18:51:13 -0700

Here's the packet I need a capture filter for (to select). However the UDPsrc & dst ports change (not always the same).

No. Time Source Destination ProtocolInfo113 565.584347 61.152.158.125 My_IP_Address MessengerNetrSendMessage request


Frame 113 (383 bytes on wire, 383 bytes captured)
   Arrival Time: Apr 20, 2005 18:31:18.058242000
   Time delta from previous packet: 565.584347000 seconds
   Time since reference or first frame: 565.584347000 seconds
   Frame Number: 113
   Packet Length: 383 bytes
   Capture Length: 383 bytes
   Protocols in frame: eth:ip:udp:dcerpc
Ethernet II, Src: 00:07:0d:ae:a8:70, Dst: My_MAC
   Destination: My_MAC (My_MAC)
   Source: 00:07:0d:ae:a8:70 (00:07:0d:ae:a8:70)
   Type: IP (0x0800)

Internet Protocol, Src Addr: 61.152.158.125 (61.152.158.125), Dst Addr:My_IP_Address (My_IP_Address)

   Version: 4
   Header length: 20 bytes

Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1; ECN:0x00)0010 00.. = Differentiated Services Codepoint: Class Selector 1(0x08)

       .... ..0. = ECN-Capable Transport (ECT): 0
       .... ...0 = ECN-CE: 0
   Total Length: 369
   Identification: 0x0000 (0)
   Flags: 0x04 (Don't Fragment)
       0... = Reserved bit: Not set
       .1.. = Don't fragment: Set
       ..0. = More fragments: Not set
   Fragment offset: 0
   Time to live: 43
   Protocol: UDP (0x11)
   Header checksum: 0xa1c4 (correct)
   Source: 61.152.158.125 (61.152.158.125)
   Destination: My_IP_Address (My_IP_Address)
User Datagram Protocol, Src Port: 51130 (51130), Dst Port: 1026 (1026)
   Source port: 51130 (51130)
   Destination port: 1026 (1026)
   Length: 349
   Checksum: 0x3124 (correct)
DCE RPC
   Version: 4
   Packet type: Request (0)
   Flags1: 0x28
       0... .... = Reserved: Not set
       .0.. .... = Broadcast: Not set
       ..1. .... = Idempotent: Set
       ...0 .... = Maybe: Not set
       .... 1... = No Fack: Set
       .... .0.. = Fragment: Not set
       .... ..0. = Last Fragment: Not set
       .... ...0 = Reserved: Not set
   Flags2: 0x00
       0... .... = Reserved: Not set
       .0.. .... = Reserved: Not set
       ..0. .... = Reserved: Not set
       ...0 .... = Reserved: Not set
       .... 0... = Reserved: Not set
       .... .0.. = Reserved: Not set
       .... ..0. = Cancel Pending: Not set
       .... ...0 = Reserved: Not set
   Data Representation: 100000
       Byte order: Little-endian (1)
       Character: ASCII (0)
       Floating-point: IEEE (0)
   Serial High: 0x00
   Object UUID: 00000000-0000-0000-0000-000000000000
   Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
   Activity: 00000000-0000-0000-0000-000000000000
   Server boot time: Unknown (0)
   Interface Ver: 1
   Sequence num: 0
   Opnum: 0
   Interface Hint: 0xffff
   Activity Hint: 0xffff
   Fragment len: 261
   Fragment num: 0
   Auth proto: None (0)
   Serial Low: 0x00
Microsoft Messenger Service, NetrSendMessage
   Operation: NetrSendMessage (0)
   Server
       Max Count: 16
       Offset: 0
       Actual Count: 16
       Server: STOP
   Client
       Max Count: 16
       Offset: 0
       Actual Count: 16
       Client: ALERT
   Message
       Max Count: 193
       Offset: 0
       Actual Count: 193

Message: ALERT:\r\n\r\nWindows has detected 15 corrupted systemfiles and 100 invalid Registry Entries. Failure to fix the problem willresult in system failure!\r\n\r\nVisit: www.fix-comp.com for Free help.\r\n

----- Original Message -----From: "Guy Harris" <gharris@xxxxxxxxx>

To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
Sent: Wednesday, April 20, 2005 2:27 AM
Subject: Re: [Ethereal-users] Capture Filter SNMP & Messenger

Al Stu wrote:
What is the syntax for creating an SNMP & Messenger capture filter?
For SNMP, it'd be something such as "udp port 161 or udp port 162", asthose are the ports SNMP normally uses. If the SNMP traffic is runningover UDP but on some other port, you'd have to specify those portsinstead.
For "Messenger" (whatever type of "Messenger" that is - AOL IM? Microsoft?...), if it runs over UDP, it'd be something similar, based on what UDPport it's using. For TCP, it'd be similar, except that it'd be "tcp port{whatever}".
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

References:
- [Ethereal-users] Capture Filter SNMP & Messenger
  - From: Al Stu
- Re: [Ethereal-users] Capture Filter SNMP & Messenger
  - From: Guy Harris

Prev by Date: Re: [Ethereal-users] Compatibility Issue Device on COM1
Next by Date: [Ethereal-users] ftp-data packets problem
Previous by thread: Re: [Ethereal-users] Capture Filter SNMP & Messenger
Next by thread: [Ethereal-users] Promiscuous mode and Windows XP personal firewalls
Index(es):
- Date
- Thread