|File Search||Catalog||Content Search|
smbsniff… more info»
This is version 0.0.1b of Smbsniff, a LanManager file sniffer for unix. Smbsniff is maintained by Frederic Lavecot : Frederic.Lavecot@hsc.fr **** Please read this file to the end as it gives important information **** and it's not very long **** or a leat read section "WHAT YOU NEED TO KNOW BEFORE USING SMBSNIF" WHAT IS SMBSNIF ? ----------------- Smbsniff is a LanManager(SMB/CIFS) packet sniffer that will write to your disk all the files shared and the documents printed in a LanManager environnement (all the Microsoft and Samba machines using LanManager protocol to share data). (Well that's what it will do when it's finished). WHY WOULD YOU WANT TO USE SMBSNIF ? ----------------------------------- To show people (your boss ?) how insecure this protocol is, for debugging purposes, for fun, ... WHAT YOU NEED TO KNOW BEFORE USING SMBSNIF ------------------------------------------ Smbsnif should work on *BSD and Linux and might even work on Solaris. You will need the libpcap in all cases : ftp://ftp.ee.lbl.gov/libpcap.tar.Z or http://www.tcpdump.org Smbsniff can work directly on the network but the sniffing part is still wobbly and you might (most probably will) loose data. Most of all, you should not use the sniffing part for SECURITY reasons : sniffing the network requires root privileges and smbsniff is definitely not secure, yet ;) If you want to get the best out of smbsniff use a real sniffer like : - the stable tcpdump : ftp://ftp.ee.lbl.gov/tcpdump.tar.Z - the new tcpdump : http://www.tcpdump.org/ - ethereal : http://www.ethereal.com/ Use : # tcpdump -s 1514 -w <file> port 139 $ smbsniff -f <file> NOTE : Smbsniff is still under developement and it is FAR from working perfectly. KNOWN BUGS ---------- Files are not the right size / structure of the file is not correct. (This is still an alpha version) File size is bigger than the original file size. 09 fev 2001 : I have idetified the reason why, and will correct it as soon as I can. The reason is some LanManager/SMB headers are transmitted in the middle of some raw data packets (makes you wonder no ?). If you get a message like : Read X : offset corrected file <file> will be wrong Write X : offset corrected file <file> will be wrong then this means the program is dropping packets or the sniffer you used to capture the packets has dropped some packets. 09 fev 2001 : It can also mean (and this is most often the case) that headers are present in the raw data and that the problem has not been corrected yet. Note : under linux (when using tcpdump or other sniffers), their is no way to know packets have been dropped. Note 2 : If your sniffer IS dropping packets you can easily patch le libpcap to adjust the size of the capture buffer. To do that : In file pcap-bpf.c change the line v = 32768; to something like v = 524288; And don't forget to rebuild your pcap library. That worked great for me. CONTRIBUTIONS ------------- If you want to contribute, send bug alerts or give feedback please mail me : Frederic.Lavecot@hsc.fr. I could also use tcpdump traces of dialogs between windows machines. This way I can see how smbsniff reacts outside a smbclient <-> NT dialog. Thanks in advance to anyone who can do that for me. WEB SITE -------- Smbsniff's primary download site is : http://www.hsc.fr/ressources/outils/index.html.en Thanks to the following peoples for their suggestions and help Stephane Aubert <Stephane.Aubert@hsc.fr> Denis Ducamp <Denis.Ducamp@hsc.fr> Jerome Bouigas Sebastien Michaud Also Herve Schauer (for letting me work on this), ee.lbl.gov (for libpcap and tcpdump), and the free software community in general.