Tshark –n –r /cases/*pcap –Y ‘ = 1’ –T fields –e ip.src –e –e > /cases/ssl_ciphersuites_by_ip.txtĬat /cases/ssl_ciphersuites_by_ip.txt | awk ‘’ | sort | uniq –c | sort –nr Wireshark -> File -> Export Objects -> SMB/SMB2 Smb.cmd = 0xa2 and !smb.fid and smb.fileĬreate and Request “smb.cmd = 0xa2” and !smb.fid and smb.file This value should not be used to track file access instead use: If a client is permitted access to a file, the server returns a FID ID. Server checks, if successfull a Tree ID is added When authentication is successful a USER ID is added which is only valid during the same SMB session B flow direction based on port number >1024 client 1000Īll sessions are uniquely identified by the Multiplex ID so client and server can pair reponse packets Nfdump -O packets -A dstip -t ‘5-5’ -R cases/ -o ‘fmt:%da %pkt %fl %bpp’ ‘proto tcp and src ip 8.8.8.8 and flags S and not flags AFRPU and (dst ip 4.4.4.4 or dst ip 3.3.3.3 or dst ip 2.2.2.2)’ Nfdump -O packets -R cases/ -A srcip,dstip ‘proto tcp and src ip 8.8.8.8 and flags S and not flags AFRPU’
0 Comments
Leave a Reply. |