[Winpcap-users] windump / tcpdump question (offtopic)
Ian
winpcap at zestysoft.com
Wed Jul 2 21:01:38 GMT 2008
I just discovered Tshark which does exactly what I need. Thanks anyway!
On Wed, 02 Jul 2008 13:45:13 -0700, Ian <winpcap at zestysoft.com> wrote:
> Hey guys, I need to apologize for asking this question here since I know
> this is just the winpcap lib users group and wouldn't normally deal with
> questions from applications that use the lib, but I thought I'd ask in
the
> slight chance that someone could help point me in the right direction as
I
> wasn't able to find a users malling list for either windump or tcpdump.
>
> I think my question is a easy one... decoding SMB traffic on port 445.
> I'm able to capture traffic on port 445 and save it to disk using a
> command
> like this:
>
> windump -i2 -s 0 -w output.dmp port 225
>
> if I later attempt to decode it using a command like this:
>
> windump -r output.dmp -vv
>
> I'm only seeing the standard IP header information:
>
> 12:57:24.392407 IP (tos 0x0, ttl 128, id 58636, offset 0, flags [DF],
> proto
> TCP (6), length 40) x.x.x.x.1085 > x.x.x.x.445: ., cksum 0x6a37
(correct),
> 5166:5166(0) ack 5566 win 64198
>
>
> Yet if I open up the same dump file in ethereal / wireshark it correctly
> decodes the traffic. Is there a way to force tcpdump / windump into
> decoding the information in the dump file or does ethereal / wireshark
> simply have more functionality at its' disposal to decode packets? If
> that's true, is there a way to call wireshark or ethereal from the cli?
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list