tshark

tshark tool (Wireshark cmdline) very useful which resolves the limitations of tcpdump.

tshark is already available in Linux box. (See tshark -h)

e.g. tshark -a filesize:1048576 -w 624882211_1.pcap -R "smb2.chain_offset != 0"

tcpdump limitations:

a. Only tcp level filters

b. No SMB\SMB2 level filter

c. It does not have the capture filter, to restrict the capture to only certain SMB packets

tshark useful options:

a. Has a smb2 level filter. (filter to smb2 compound cmd -R "smb2.chain_offset != 0")

b. Has option to restrict the size of pcap. (-a filesize:1048576).

This is very helpful to limit the capture size in customer production environment.

c. The filter applies at capture level, so unwanted packets don’t go to pcap.

d. Has option to stop capture after certain seconds (-a duration:NUM).

e. Collect packet/bytes statistics for the capture in intervals

Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate 1ms statistics for all SMB packets to/from host 1.2.3.4.