<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I think what you are looking for is tshark, man page is found here:
<a class="moz-txt-link-freetext" href="http://www.wireshark.org/docs/man-pages/tshark.html">http://www.wireshark.org/docs/man-pages/tshark.html</a><br>
<div class="moz-signature"><br>
--<br>
Dustin Johnson<br>
<b>CACE Technologies</b><br>
Tel: 530-758-2790 x109<br>
Fax: 530-758-2781<br>
<a href="http://www.cacetech.com">www.cacetech.com</a></div>
<br>
<br>
Ian wrote:
<blockquote cite="mid:4293397512c01232e33df4590765f016@127.0.0.1"
type="cite">
<pre wrap="">Hey guys, I need to apologize for asking this question here since I know
this is just the winpcap lib users group and wouldn't normally deal with
questions from applications that use the lib, but I thought I'd ask in the
slight chance that someone could help point me in the right direction as I
wasn't able to find a users malling list for either windump or tcpdump.
I think my question is a easy one... decoding SMB traffic on port 445.
I'm able to capture traffic on port 445 and save it to disk using a command
like this:
windump -i2 -s 0 -w output.dmp port 225
if I later attempt to decode it using a command like this:
windump -r output.dmp -vv
I'm only seeing the standard IP header information:
12:57:24.392407 IP (tos 0x0, ttl 128, id 58636, offset 0, flags [DF], proto
TCP (6), length 40) x.x.x.x.1085 > x.x.x.x.445: ., cksum 0x6a37 (correct),
5166:5166(0) ack 5566 win 64198
Yet if I open up the same dump file in ethereal / wireshark it correctly
decodes the traffic. Is there a way to force tcpdump / windump into
decoding the information in the dump file or does ethereal / wireshark
simply have more functionality at its' disposal to decode packets? If
that's true, is there a way to call wireshark or ethereal from the cli?
_______________________________________________
Winpcap-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a>
<a class="moz-txt-link-freetext" href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a>
</pre>
</blockquote>
</body>
</html>