Here's the packet I need a capture filter for (to select). However the UDP
src & dst ports change (not always the same).
No. Time Source Destination Protocol
Info
113 565.584347 61.152.158.125 My_IP_Address Messenger
NetrSendMessage request
Frame 113 (383 bytes on wire, 383 bytes captured)
Arrival Time: Apr 20, 2005 18:31:18.058242000
Time delta from previous packet: 565.584347000 seconds
Time since reference or first frame: 565.584347000 seconds
Frame Number: 113
Packet Length: 383 bytes
Capture Length: 383 bytes
Protocols in frame: eth:ip:udp:dcerpc
Ethernet II, Src: 00:07:0d:ae:a8:70, Dst: My_MAC
Destination: My_MAC (My_MAC)
Source: 00:07:0d:ae:a8:70 (00:07:0d:ae:a8:70)
Type: IP (0x0800)
Internet Protocol, Src Addr: 61.152.158.125 (61.152.158.125), Dst Addr:
My_IP_Address (My_IP_Address)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1; ECN:
0x00)
0010 00.. = Differentiated Services Codepoint: Class Selector 1
(0x08)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 369
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 43
Protocol: UDP (0x11)
Header checksum: 0xa1c4 (correct)
Source: 61.152.158.125 (61.152.158.125)
Destination: My_IP_Address (My_IP_Address)
User Datagram Protocol, Src Port: 51130 (51130), Dst Port: 1026 (1026)
Source port: 51130 (51130)
Destination port: 1026 (1026)
Length: 349
Checksum: 0x3124 (correct)
DCE RPC
Version: 4
Packet type: Request (0)
Flags1: 0x28
0... .... = Reserved: Not set
.0.. .... = Broadcast: Not set
..1. .... = Idempotent: Set
...0 .... = Maybe: Not set
.... 1... = No Fack: Set
.... .0.. = Fragment: Not set
.... ..0. = Last Fragment: Not set
.... ...0 = Reserved: Not set
Flags2: 0x00
0... .... = Reserved: Not set
.0.. .... = Reserved: Not set
..0. .... = Reserved: Not set
...0 .... = Reserved: Not set
.... 0... = Reserved: Not set
.... .0.. = Reserved: Not set
.... ..0. = Cancel Pending: Not set
.... ...0 = Reserved: Not set
Data Representation: 100000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Serial High: 0x00
Object UUID: 00000000-0000-0000-0000-000000000000
Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
Activity: 00000000-0000-0000-0000-000000000000
Server boot time: Unknown (0)
Interface Ver: 1
Sequence num: 0
Opnum: 0
Interface Hint: 0xffff
Activity Hint: 0xffff
Fragment len: 261
Fragment num: 0
Auth proto: None (0)
Serial Low: 0x00
Microsoft Messenger Service, NetrSendMessage
Operation: NetrSendMessage (0)
Server
Max Count: 16
Offset: 0
Actual Count: 16
Server: STOP
Client
Max Count: 16
Offset: 0
Actual Count: 16
Client: ALERT
Message
Max Count: 193
Offset: 0
Actual Count: 193
Message: ALERT:\r\n\r\nWindows has detected 15 corrupted system
files and 100 invalid Registry Entries. Failure to fix the problem will
result in system failure!\r\n\r\nVisit: www.fix-comp.com for Free help.\r\n
----- Original Message -----
From: "Guy Harris" <gharris@xxxxxxxxx>
To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
Sent: Wednesday, April 20, 2005 2:27 AM
Subject: Re: [Ethereal-users] Capture Filter SNMP & Messenger
Al Stu wrote:
What is the syntax for creating an SNMP & Messenger capture filter?
For SNMP, it'd be something such as "udp port 161 or udp port 162", as
those are the ports SNMP normally uses. If the SNMP traffic is running
over UDP but on some other port, you'd have to specify those ports
instead.
For "Messenger" (whatever type of "Messenger" that is - AOL IM? Microsoft?
...), if it runs over UDP, it'd be something similar, based on what UDP
port it's using. For TCP, it'd be similar, except that it'd be "tcp port
{whatever}".
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
