Question

我正试图在电线上安装一个过滤器,以接收所有SMB的回复,这些回复是“Error:STATUS_NO_SUCH_FILE”。我也要能够在过滤器之前 gr碎包装。例如:

No. Time        Source      Destination Proto.  Length  Info
26482   24.832997   192.168.1.62    192.168.1.4 SMB 288 Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: 1_CLIENTSCLIENTSACME INC
26483   24.833122   192.168.1.4 192.168.1.62    SMB 158 Trans2 Response, QUERY_PATH_INFO
26484   24.833232   192.168.1.62    192.168.1.4 SMB 306 Trans2 Request, FIND_FIRST2, Pattern: 1_CLIENTSCLIENTSACME INC<.AC_
26485   24.833909   192.168.1.4 192.168.1.62    SMB 126 Trans2 Response, FIND_FIRST2, Error: STATUS_NO_SUCH_FILE

The followingfil grabs the "STATUS_NO_SUCH_FILE' Packets:

((ip.src == 192.168.1.4) && (ip.dst == 192.168.1.62)) || ((ip.src == 192.168.1.62) && (ip.dst == 192.168.1.4)) && (smb.nt_status == 0xC000000F)

But I would also like to get the packet previous to that one as well so I know which file path wasn t found.

Answer 1

You can use TShark, part of the Wireshark distribution, to get an overview.
Run the following command:
$ tshark -r FS01-Test.pcap -R smb.nt_status==0xc000000f -T fields -e frame.number -e smb.nt_status -e smb.response_to -E header=y -E separator=, > smb.csv

Output:
frame.number,smb.nt_status,smb.response_to
6242,0xc000000f,6238
6247,0xc000000f,6246
6331,0xc000000f,6269
6338,0xc000000f,6336

Another example:
$ tshark -r FS01-Test.pcap -R smb.nt_status==0xc000000f -T fields -e frame.number -e smb.nt_status -e smb.response_to -e smb.search_pattern -E header=y -E separator=, > smb02.csv

Output:
frame.number,smb.nt_status,smb.response_to,smb.search_pattern
6242,0xc000000f,6238,\B\Di\folder.jpg
6247,0xc000000f,6246,\B\Di\folder.gif
6331,0xc000000f,6269,\B\Ex\folder.jpg
6338,0xc000000f,6336,\B\Ex\folder.gif

友情链接