From fa677cfe06651e367c857d7a57b7e885d3891866 Mon Sep 17 00:00:00 2001 From: obrien Date: Tue, 15 Sep 1998 03:06:26 +0000 Subject: Update the documenation (DESCR and manpage) a little. --- net/smbtcpdump/files/patch-01 | 288 ++++++++++++++++++++++++++++++++++++++++++ net/smbtcpdump/pkg-descr | 6 +- 2 files changed, 292 insertions(+), 2 deletions(-) create mode 100644 net/smbtcpdump/files/patch-01 diff --git a/net/smbtcpdump/files/patch-01 b/net/smbtcpdump/files/patch-01 new file mode 100644 index 0000000..4664794 --- /dev/null +++ b/net/smbtcpdump/files/patch-01 @@ -0,0 +1,288 @@ +--- tcpdump.1.orig Sun Jul 14 19:45:04 1996 ++++ tcpdump.1 Mon Sep 14 20:03:37 1998 +@@ -20,12 +20,12 @@ + .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF + .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + .\" +-.TH TCPDUMP 1 "14 July 1996" ++.TH SMBTCPDUMP 1 "14 July 1996" + .SH NAME +-tcpdump \- dump traffic on a network ++smbtcpdump \- dump traffic on a network (supports SMB related protocols) + .SH SYNOPSIS + .na +-.B tcpdump ++.B smbtcpdump + [ + .B \-deflnNOpqStvx + ] [ +@@ -65,11 +65,20 @@ + .ad + .SH DESCRIPTION + .LP +-\fITcpdump\fP prints out the headers of packets on a network interface +-that match the boolean \fIexpression\fP. ++\fIsmbTcpdump\fP prints out the headers of packets on a network interface ++that match the boolean \fIexpression\fP. The easiest way to capture ++SMB related traffic is to envoke ++.I smbtcpdump ++as: ++.in +.5i ++.nf ++\fBsmbtcpdump -s 1500 'port 139 and host foo'\fR ++.fi ++.in -.5i ++.LP + .B Under SunOS with nit or bpf: + To run +-.I tcpdump ++.I smbtcpdump + you must have read access to + .I /dev/net + or +@@ -86,7 +95,7 @@ + promiscuous-mode operation using + .IR pfconfig (8), + any user may run +-.BR tcpdump . ++.BR smbtcpdump . + .B Under BSD: + You must have read access to + .IR /dev/bpf* . +@@ -122,7 +131,7 @@ + .TP + .B \-i + Listen on \fIinterface\fP. +-If unspecified, \fItcpdump\fP searches the system interface list for the ++If unspecified, \fIsmbtcpdump\fP searches the system interface list for the + lowest numbered, configured up interface (excluding loopback). + Ties are broken by choosing the earliest match. + .TP +@@ -130,15 +139,15 @@ + Make stdout line buffered. Useful if you want to see the data + while capturing it. E.g., + .br +-``tcpdump\ \ \-l\ \ |\ \ tee dat'' or +-``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''. ++``smbtcpdump\ \ \-l\ \ |\ \ tee dat'' or ++``smbtcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''. + .TP + .B \-n + Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. + .TP + .B \-N + Don't print domain name qualification of host names. E.g., +-if you give this flag then \fItcpdump\fP will print ``nic'' ++if you give this flag then \fIsmbtcpdump\fP will print ``nic'' + instead of ``nic.ddn.mil''. + .TP + .B \-O +@@ -430,7 +439,7 @@ + [In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), the + protocol identification comes from the 802.2 Logical Link Control + (LLC) header, which is usually layered on top of the FDDI header. +-\fITcpdump\fP assumes, when filtering on the protocol identifier, ++\fIsmbTcpdump\fP assumes, when filtering on the protocol identifier, + that all FDDI packets include an LLC header, and that the LLC header + is in so-called SNAP format.] + .IP "\fBdecnet src \fIhost\fR" +@@ -462,7 +471,7 @@ + .in -.5i + where \fIp\fR is one of the above protocols. + Note that +-\fItcpdump\fP does not currently know how to parse these protocols. ++\fIsmbtcpdump\fP does not currently know how to parse these protocols. + .IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR" + Abbreviations for: + .in +.5i +@@ -541,7 +550,7 @@ + .fi + .in -.5i + .LP +-Expression arguments can be passed to tcpdump as either a single argument ++Expression arguments can be passed to smbtcpdump as either a single argument + or as multiple arguments, whichever is more convenient. + Generally, if the expression contains Shell metacharacters, it is + easier to pass it as a single, quoted argument. +@@ -551,21 +560,21 @@ + To print all packets arriving at or departing from \fIsundown\fP: + .RS + .nf +-\fBtcpdump host sundown\fP ++\fBsmbtcpdump host sundown\fP + .fi + .RE + .LP + To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR: + .RS + .nf +-\fBtcpdump host helios and \\( hot or ace \\)\fP ++\fBsmbtcpdump host helios and \\( hot or ace \\)\fP + .fi + .RE + .LP + To print all IP packets between \fIace\fR and any host except \fIhelios\fR: + .RS + .nf +-\fBtcpdump ip host ace and not helios\fP ++\fBsmbtcpdump ip host ace and not helios\fP + .fi + .RE + .LP +@@ -573,7 +582,7 @@ + .RS + .nf + .B +-tcpdump net ucb-ether ++smbtcpdump net ucb-ether + .fi + .RE + .LP +@@ -583,7 +592,7 @@ + .RS + .nf + .B +-tcpdump 'gateway snup and (port ftp or ftp-data)' ++smbtcpdump 'gateway snup and (port ftp or ftp-data)' + .fi + .RE + .LP +@@ -593,7 +602,7 @@ + .RS + .nf + .B +-tcpdump ip and not net \fIlocalnet\fP ++smbtcpdump ip and not net \fIlocalnet\fP + .fi + .RE + .LP +@@ -602,7 +611,7 @@ + .RS + .nf + .B +-tcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP' ++smbtcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP' + .fi + .RE + .LP +@@ -610,7 +619,7 @@ + .RS + .nf + .B +-tcpdump 'gateway snup and ip[2:2] > 576' ++smbtcpdump 'gateway snup and ip[2:2] > 576' + .fi + .RE + .LP +@@ -620,7 +629,7 @@ + .RS + .nf + .B +-tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' ++smbtcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' + .fi + .RE + .LP +@@ -629,12 +638,12 @@ + .RS + .nf + .B +-tcpdump 'icmp[0] != 8 and icmp[0] != 0" ++smbtcpdump 'icmp[0] != 8 and icmp[0] != 0" + .fi + .RE + .SH OUTPUT FORMAT + .LP +-The output of \fItcpdump\fP is protocol dependent. The following ++The output of \fIsmbtcpdump\fP is protocol dependent. The following + gives a brief description and examples of most of the formats. + .de HD + .sp 1.5 +@@ -647,7 +656,7 @@ + On ethernets, the source and destination addresses, protocol, + and packet length are printed. + .LP +-On FDDI networks, the '-e' option causes \fItcpdump\fP to print ++On FDDI networks, the '-e' option causes \fIsmbtcpdump\fP to print + the `frame control' field, the source and destination addresses, + and the packet length. (The `frame control' field governs the + interpretation of the rest of the packet. Normal packets (such +@@ -707,7 +716,7 @@ + replies with its ethernet address (in this example, ethernet addresses + are in caps and internet addresses in lower case). + .LP +-This would look less redundant if we had done \fBtcpdump \-n\fP: ++This would look less redundant if we had done \fBsmbtcpdump \-n\fP: + .RS + .nf + .sp .5 +@@ -716,7 +725,7 @@ + .fi + .RE + .LP +-If we had done \fBtcpdump \-e\fP, the fact that the first packet is ++If we had done \fBsmbtcpdump \-e\fP, the fact that the first packet is + broadcast and the second is point-to-point would be visible: + .RS + .nf +@@ -734,7 +743,7 @@ + .LP + \fI(N.B.:The following description assumes familiarity with + the TCP protocol described in RFC-793. If you are not familiar +-with the protocol, neither this description nor tcpdump will ++with the protocol, neither this description nor smbtcpdump will + be of much use to you.)\fP + .LP + The general format of a tcp protocol line is: +@@ -794,7 +803,7 @@ + flags were set. + The packet contained no data so there is no data sequence number. + Note that the ack sequence +-number is a small integer (1). The first time \fBtcpdump\fP sees a ++number is a small integer (1). The first time \fBsmbtcpdump\fP sees a + tcp `conversation', it prints the sequence number from the packet. + On subsequent packets of the conversation, the difference between + the current packet's sequence number and this initial sequence number +@@ -982,7 +991,7 @@ + NFS traffic. + .LP + NFS reply packets do not explicitly identify the RPC operation. Instead, +-\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the ++\fIsmbtcpdump\fP keeps track of ``recent'' requests, and matches them to the + replies using the transaction ID. If a reply does not closely follow the + corresponding request, it might not be parsable. + .HD +@@ -1170,12 +1179,13 @@ + Steven McCanne (mccanne@ee.lbl.gov), all of the + Lawrence Berkeley Laboratory, University of California, Berkeley, CA. + .SH BUGS +-Please send bug reports to tcpdump@ee.lbl.gov or libpcap@ee.lbl.gov. ++This is a modified version of tcpdump. Please do not bother the tcpdump ++authors with bug reports. + .LP + NIT doesn't let you watch your own outbound traffic, BPF will. + We recommend that you use the latter. + .LP +-\fItcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel ++\fIsmbtcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel + has to have been built with the \fIpacketfilter\fP pseudo-device driver + (see + .IR packetfilter (4)). +@@ -1190,7 +1200,7 @@ + you're monitoring a busy network. + .LP + On Sun systems prior to release 3.2, NIT is very buggy. +-If run on an old system, tcpdump may crash the machine. ++If run on an old system, smbtcpdump may crash the machine. + .LP + Some attempt should be made to reassemble IP fragments or, at least + to compute the right length for the higher level protocol. +@@ -1198,7 +1208,7 @@ + Name server inverse queries are not dumped correctly: The (empty) + question section is printed rather than real query in the answer + section. Some believe that inverse queries are themselves a bug and +-prefer to fix the program generating them rather than tcpdump. ++prefer to fix the program generating them rather than smbtcpdump. + .LP + Apple Ethertalk DDP packets could be dumped as easily as KIP DDP + packets but aren't. diff --git a/net/smbtcpdump/pkg-descr b/net/smbtcpdump/pkg-descr index b860b5b..952f72b 100644 --- a/net/smbtcpdump/pkg-descr +++ b/net/smbtcpdump/pkg-descr @@ -4,10 +4,12 @@ of detail. To capture all SMB packets going to or from host "fred" try this: - tcpdump -i eth0 -s 1500 port 139 host fred + tcpdump -s 1500 'port 139 and host fred' If you want name resolution or browse packets then try ports 137 and -138 respectively. +138 respectively: + + tcpdump -s 1500 '(port 139 or 138 or 137) and host fred' Example Output: -- cgit v1.1