Wireshark · Ethereal-dev: Re: [Ethereal-dev] Applying filters

Ethereal-dev: Re: [Ethereal-dev] Applying filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Tim Potter <tpot@xxxxxxxxx>

Date: Wed, 13 Aug 2003 13:55:55 -0700

On Wed, Aug 13, 2003 at 03:27:35PM -0500, Perrymon, Josh L. wrote:

> How do you guys suggest setting filters to catch the following:
> 
> outbound TFTP requests
> TCP port 135 requests ( RPC )
> 
> I want to set this sniffer on our core switch w/ port monitor and catch all
> RPC worm traffic if it happens.

How about 'udp.dstport == 69 or dcerpc' as a display filter.  RPC requests 
can happen on port 135 (nt4) or port 445 (win2k and above).

For a capture filter try 'udp port 69 or tcp port 135 or tcp port 445'
although this will give you more smb packets than you want.

Tim.

References:
- [Ethereal-dev] Applying filters
  - From: Perrymon, Josh L.

Prev by Date: [Ethereal-dev] Applying filters
Next by Date: [Ethereal-dev] IPsec sequence numbers
Previous by thread: [Ethereal-dev] Applying filters
Next by thread: [Ethereal-dev] IPsec sequence numbers
Index(es):
- Date
- Thread