Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2022-11-23 16:13:01 +0000

SYN-bit gravatar image

Capture filters are tricky, as they can only look at specific offsets. But assuming the Create Request commands always start with a new packet, you could read the length of the TCP header and then jump towardss the offset where the 2SMB command number is located. You can then do the same for the flag for "request" and that would give you only SMB2 pcakets with the filenames.

I used smb-export.pcap to work this out, and it seems to work:

$ tcpdump -r smb-export.pcap -w- "(tcp[((tcp[12]&0xf0)>>2)+16:2]=0x0500) and (tcp[((tcp[12]&0xf0)>>2)+20]&1=0)" | tshark -r -
reading from file smb-export.pcap, link-type EN10MB (Ethernet)
    1   0.000000 0.000000 192.168.188.129 → 192.168.147.129 0x99f0 (39408) Not set 0 SMB2 179 Create Request File: 
    2   0.028856 0.028856 192.168.188.129 → 192.168.147.129 0x99f8 (39416) Not set 0 SMB2 179 [TCP Previous segment not captured] Create Request File: 
    3   5.495787 5.466931 192.168.188.129 → 192.168.147.129 0x99fe (39422) Not set 0 SMB2 179 [TCP Previous segment not captured] Create Request File: 
    4   6.720990 1.225203 192.168.188.129 → 192.168.147.129 0x9a02 (39426) Not set 0 SMB2 250 [TCP Previous segment not captured] Create Request File: about_BeforeEach_AfterEach.help.txt
    5   7.711875 0.990885 192.168.188.129 → 192.168.147.129 0x9a0a (39434) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_Mocking.help.txt
    6   8.624995 0.913120 192.168.188.129 → 192.168.147.129 0x9a12 (39442) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_Pester.help.txt
    7   9.294061 0.669066 192.168.188.129 → 192.168.147.129 0x9a1a (39450) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_should.help.txt
    8   9.934739 0.640678 192.168.188.129 → 192.168.147.129 0x9a21 (39457) Not set 0 SMB2 226 [TCP Previous segment not captured] Create Request File: about_TestDrive.help.txt
    9  10.759080 0.824341 192.168.188.129 → 192.168.147.129 0x9a29 (39465) Not set 0 SMB2 210 [TCP Previous segment not captured] Create Request File: default.help.txt
   10  11.299844 0.540764 192.168.188.129 → 192.168.147.129 0x9a31 (39473) Not set 0 SMB2 202 [TCP Previous segment not captured] Create Request File: gmreadme.txt
   11  11.887046 0.587202 192.168.188.129 → 192.168.147.129 0x9a37 (39479) Not set 0 SMB2 218 [TCP Previous segment not captured] Create Request File: Hack_and_Detect.pdf
   12  13.032206 1.145160 192.168.188.129 → 192.168.147.129 0x9bcd (39885) Not set 0 SMB2 198 [TCP Previous segment not captured] Create Request File: Image.JPG
   13  13.705530 0.673324 192.168.188.129 → 192.168.147.129 0x9be6 (39910) Not set 0 SMB2 214 [TCP Previous segment not captured] Create Request File: LiveDomainList.txt
   14  14.464304 0.758774 192.168.188.129 → 192.168.147.129 0x9bee (39918) Not set 0 SMB2 234 [TCP Previous segment not captured] Create Request File: TableTextServiceAmharic.txt
   15  15.096252 0.631948 192.168.188.129 → 192.168.147.129 0x9bf6 (39926) Not set 0 SMB2 230 [TCP Previous segment not captured] Create Request File: TableTextServiceArray.txt
   16  15.870941 0.774689 192.168.188.129 → 192.168.147.129 0x9c23 (39971) Not set 0 SMB2 226 [TCP Previous segment not captured] Create Request File: TableTextServiceDaYi.txt
   17  16.458096 0.587155 192.168.188.129 → 192.168.147.129 0x9c44 (40004) Not set 0 SMB2 234 [TCP Previous segment not captured] Create Request File: TableTextServiceTigrinya.txt
   18  17.032058 0.573962 192.168.188.129 → 192.168.147.129 0x9c4c (40012) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: TableTextServiceYi.txt
   19  17.607217 0.575159 192.168.188.129 → 192.168.147.129 0x9c55 (40021) Not set 0 SMB2 194 [TCP Previous segment not captured] Create Request File: Test.txt
   20  18.103984 0.496767 192.168.188.129 → 192.168.147.129 0x9c5d (40029) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: ThirdPartyNotices.txt
   21  18.638410 0.534426 192.168.188.129 → 192.168.147.129 0x9c65 (40037) Not set 0 SMB2 218 [TCP Previous segment not captured] Create Request File: WindowsCodecsRaw.txt
   22  23.822781 5.184371 192.168.188.129 → 192.168.147.129 0x9c72 (40050) Not set 0 SMB2 194 [TCP Previous segment not captured] Create Request File: ncat.exe
   23  23.922755 0.099974 192.168.188.129 → 192.168.147.129 0xa05c (41052) Not set 0 NBSS 21954 [TCP Previous segment not captured] NBSS Continuation Message
$

The capture filter I came up with is (tcp[((tcp[12]&0xf0)>>2)+16:2]=0x0500) and (tcp[((tcp[12]&0xf0)>>2)+20]&1=0) where ((tcp[12]&0xf0)>>2) is retrieving the TCP header length, which can differ in length depending on the connection.

This filter might need to be adjusted for your use-case (like when vlan tags are in use etc).

Capture filters are tricky, as they can only look at specific offsets. But assuming the Create Request commands always start with a new packet, you could read the length of the TCP header and then jump towardss towards the offset where the 2SMB SMB2 command number is located. You can then do the same for the flag for "request" and that would give you only SMB2 pcakets with the filenames.

I used smb-export.pcap to work this out, and it seems to work:

$ tcpdump -r smb-export.pcap -w- "(tcp[((tcp[12]&0xf0)>>2)+16:2]=0x0500) and (tcp[((tcp[12]&0xf0)>>2)+20]&1=0)" | tshark -r -
reading from file smb-export.pcap, link-type EN10MB (Ethernet)
    1   0.000000 0.000000 192.168.188.129 → 192.168.147.129 0x99f0 (39408) Not set 0 SMB2 179 Create Request File: 
    2   0.028856 0.028856 192.168.188.129 → 192.168.147.129 0x99f8 (39416) Not set 0 SMB2 179 [TCP Previous segment not captured] Create Request File: 
    3   5.495787 5.466931 192.168.188.129 → 192.168.147.129 0x99fe (39422) Not set 0 SMB2 179 [TCP Previous segment not captured] Create Request File: 
    4   6.720990 1.225203 192.168.188.129 → 192.168.147.129 0x9a02 (39426) Not set 0 SMB2 250 [TCP Previous segment not captured] Create Request File: about_BeforeEach_AfterEach.help.txt
    5   7.711875 0.990885 192.168.188.129 → 192.168.147.129 0x9a0a (39434) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_Mocking.help.txt
    6   8.624995 0.913120 192.168.188.129 → 192.168.147.129 0x9a12 (39442) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_Pester.help.txt
    7   9.294061 0.669066 192.168.188.129 → 192.168.147.129 0x9a1a (39450) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_should.help.txt
    8   9.934739 0.640678 192.168.188.129 → 192.168.147.129 0x9a21 (39457) Not set 0 SMB2 226 [TCP Previous segment not captured] Create Request File: about_TestDrive.help.txt
    9  10.759080 0.824341 192.168.188.129 → 192.168.147.129 0x9a29 (39465) Not set 0 SMB2 210 [TCP Previous segment not captured] Create Request File: default.help.txt
   10  11.299844 0.540764 192.168.188.129 → 192.168.147.129 0x9a31 (39473) Not set 0 SMB2 202 [TCP Previous segment not captured] Create Request File: gmreadme.txt
   11  11.887046 0.587202 192.168.188.129 → 192.168.147.129 0x9a37 (39479) Not set 0 SMB2 218 [TCP Previous segment not captured] Create Request File: Hack_and_Detect.pdf
   12  13.032206 1.145160 192.168.188.129 → 192.168.147.129 0x9bcd (39885) Not set 0 SMB2 198 [TCP Previous segment not captured] Create Request File: Image.JPG
   13  13.705530 0.673324 192.168.188.129 → 192.168.147.129 0x9be6 (39910) Not set 0 SMB2 214 [TCP Previous segment not captured] Create Request File: LiveDomainList.txt
   14  14.464304 0.758774 192.168.188.129 → 192.168.147.129 0x9bee (39918) Not set 0 SMB2 234 [TCP Previous segment not captured] Create Request File: TableTextServiceAmharic.txt
   15  15.096252 0.631948 192.168.188.129 → 192.168.147.129 0x9bf6 (39926) Not set 0 SMB2 230 [TCP Previous segment not captured] Create Request File: TableTextServiceArray.txt
   16  15.870941 0.774689 192.168.188.129 → 192.168.147.129 0x9c23 (39971) Not set 0 SMB2 226 [TCP Previous segment not captured] Create Request File: TableTextServiceDaYi.txt
   17  16.458096 0.587155 192.168.188.129 → 192.168.147.129 0x9c44 (40004) Not set 0 SMB2 234 [TCP Previous segment not captured] Create Request File: TableTextServiceTigrinya.txt
   18  17.032058 0.573962 192.168.188.129 → 192.168.147.129 0x9c4c (40012) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: TableTextServiceYi.txt
   19  17.607217 0.575159 192.168.188.129 → 192.168.147.129 0x9c55 (40021) Not set 0 SMB2 194 [TCP Previous segment not captured] Create Request File: Test.txt
   20  18.103984 0.496767 192.168.188.129 → 192.168.147.129 0x9c5d (40029) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: ThirdPartyNotices.txt
   21  18.638410 0.534426 192.168.188.129 → 192.168.147.129 0x9c65 (40037) Not set 0 SMB2 218 [TCP Previous segment not captured] Create Request File: WindowsCodecsRaw.txt
   22  23.822781 5.184371 192.168.188.129 → 192.168.147.129 0x9c72 (40050) Not set 0 SMB2 194 [TCP Previous segment not captured] Create Request File: ncat.exe
   23  23.922755 0.099974 192.168.188.129 → 192.168.147.129 0xa05c (41052) Not set 0 NBSS 21954 [TCP Previous segment not captured] NBSS Continuation Message
$

The capture filter I came up with is (tcp[((tcp[12]&0xf0)>>2)+16:2]=0x0500) and (tcp[((tcp[12]&0xf0)>>2)+20]&1=0) where ((tcp[12]&0xf0)>>2) is retrieving the TCP header length, which can differ in length depending on the connection.

This filter might need to be adjusted for your use-case (like when vlan tags are in use etc).

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2