Capture filter similar to smb2.cmd==5
Is there a way to only capture packets with smb2 file create?
Ideally want to only capture file names over long period
add a comment
Capture filters are tricky, as they can only look at specific offsets. But assuming the Create Request commands always start with a new packet, you could read the length of the TCP header and then jump towards the offset where the SMB2 command is located. You can then do the same for the flag for "request" and that would give you only SMB2 pcakets with the filenames.
I used smb-export.pcap to work this out, and it seems to work:
$ tcpdump -r smb-export.pcap -w- "(tcp[((tcp[12]&0xf0)>>2)+16:2]=0x0500) and (tcp[((tcp[12]&0xf0)>>2)+20]&1=0)" | tshark -r -
reading from file smb-export.pcap, link-type EN10MB (Ethernet)
1 0.000000 0.000000 192.168.188.129 → 192.168.147.129 0x99f0 (39408) Not set 0 SMB2 179 Create Request File:
2 0.028856 0.028856 192.168.188.129 → 192.168.147.129 0x99f8 (39416) Not set 0 SMB2 179 [TCP Previous segment not captured] Create Request File:
3 5.495787 5.466931 192.168.188.129 → 192.168.147.129 0x99fe (39422) Not set 0 SMB2 179 [TCP Previous segment not captured] Create Request File:
4 6.720990 1.225203 192.168.188.129 → 192.168.147.129 0x9a02 (39426) Not set 0 SMB2 250 [TCP Previous segment not captured] Create Request File: about_BeforeEach_AfterEach.help.txt
5 7.711875 0.990885 192.168.188.129 → 192.168.147.129 0x9a0a (39434) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_Mocking.help.txt
6 8.624995 0.913120 192.168.188.129 → 192.168.147.129 0x9a12 (39442) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_Pester.help.txt
7 9.294061 0.669066 192.168.188.129 → 192.168.147.129 0x9a1a (39450) Not set 0 SMB2 222 [TCP Previous segment not captured] Create Request File: about_should.help.txt
8 9.934739 0.640678 192.168.188.129 → 192.168.147.129 0x9a21 (39457) Not set 0 SMB2 226 [TCP Previous segment not captured] Create Request File: about_TestDrive.help.txt
9 10.759080 0.824341 192.168.188.129 → 192.168.147.129 0x9a29 (39465) Not set 0 SMB2 210 [TCP Previous segment not captured] Create Request File: default.help.txt
10 11.299844 0.540764 192.168.188.129 → 192.168.147.129 0x9a31 (39473) Not set 0 SMB2 202 [TCP Previous segment not captured] Create Request File: gmreadme.txt
11 11.887046 0.587202 192.168.188.129 → 192.168.147.129 0x9a37 (39479) Not set 0 SMB2 218 [TCP Previous segment not captured] Create Request File: Hack_and_Detect.pdf
12 13.032206 1.145160 192.168.188.129 → 192.168.147.129 0x9bcd (39885) Not set 0 SMB2 198 [TCP Previous segment not captured] Create Request File: Image.JPG
13 13.705530 0.673324 192.168.188.129 → 192.168.147.129 0x9be6 (39910) Not set 0 SMB2 214 [TCP Previous segment not captured] Create Request File: LiveDomainList.txt
14 14.464304 ...Asked: 2022-11-23 14:01:28 +0000
Seen: 252 times
Last updated: Nov 23 '22
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.