Ask Your Question
0

Capture filter similar to smb2.cmd==5

asked 2022-11-23 14:01:28 +0000

Is there a way to only capture packets with smb2 file create?

Ideally want to only capture file names over long period

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2022-11-23 16:13:01 +0000

SYN-bit gravatar image

updated 2022-11-23 16:35:42 +0000

Capture filters are tricky, as they can only look at specific offsets. But assuming the Create Request commands always start with a new packet, you could read the length of the TCP header and then jump towards the offset where the SMB2 command is located. You can then do the same for the flag for "request" and that would give you only SMB2 pcakets with the filenames.

I used smb-export.pcap to work this out, and it seems to work:

$ tcpdump -r smb-export.pcap -w- "(tcp[((tcp[12]&0xf0)>>2)+16:2]=0x0500) and (tcp[((tcp[12]&0xf0)>>2)+20]&1=0)" | tshark -r -
reading from file smb-export.pcap, link-type EN10MB (Ethernet)
    1   0.000000 0.000000 192.168.188.129 → 192.168.147.129 0x99f0 (39408) Not set 0 SMB2 179 Create Request File: 
    2   0.028856 0.028856 192.168.188.129 → 192.168.147.129 0x99f8 (39416) Not set 0 SMB2 179 [TCP Previous segment not captured] Create Request File: 
    3   5.495787 5.466931 192.168.188.129 → 192.168.147.129 0x99fe (39422) Not set 0 SMB2 179 [TCP Previous segment not captured] Create Request File: 
    4   6.720990 1.225203 192.168.188.129 → 192.168.147.129 0x9a02 (39426) Not set 0 SMB2 250 [TCP Previous segment not captured] Create Request File: about_BeforeEach_AfterEach.help.txt
    5   7.711875 0.990885 192.168.188.129 → 192.168.147.129 0x9a0a (39434) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_Mocking.help.txt
    6   8.624995 0.913120 192.168.188.129 → 192.168.147.129 0x9a12 (39442) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_Pester.help.txt
    7   9.294061 0.669066 192.168.188.129 → 192.168.147.129 0x9a1a (39450) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_should.help.txt
    8   9.934739 0.640678 192.168.188.129 → 192.168.147.129 0x9a21 (39457) Not set 0 SMB2 226 [TCP Previous segment not captured] Create Request File: about_TestDrive.help.txt
    9  10.759080 0.824341 192.168.188.129 → 192.168.147.129 0x9a29 (39465) Not set 0 SMB2 210 [TCP Previous segment not captured] Create Request File: default.help.txt
   10  11.299844 0.540764 192.168.188.129 → 192.168.147.129 0x9a31 (39473) Not set 0 SMB2 202 [TCP Previous segment not captured] Create Request File: gmreadme.txt
   11  11.887046 0.587202 192.168.188.129 → 192.168.147.129 0x9a37 (39479) Not set 0 SMB2 218 [TCP Previous segment not captured] Create Request File: Hack_and_Detect.pdf
   12  13.032206 1.145160 192.168.188.129 → 192.168.147.129 0x9bcd (39885) Not set 0 SMB2 198 [TCP Previous segment not captured] Create Request File: Image.JPG
   13  13.705530 0.673324 192.168.188.129 → 192.168.147.129 0x9be6 (39910) Not set 0 SMB2 214 [TCP Previous segment not captured] Create Request File: LiveDomainList.txt
   14  14.464304 ...
(more)
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-11-23 14:01:28 +0000

Seen: 438 times

Last updated: Nov 23 '22