On 06/22/2010 10:52 PM, David H. Lipman wrote:
From: "Jaap Keuter"<jaap.keuter@xxxxxxxxx>
| Hi,
| You need a display filter?
| Just point and click; point to the packet with the protocol you don't want,
| right-click and add to filter.
| Thanks,
| Jaap
I'm kind of in the middle but here goes...
{ I say I am in the middle because it is not my website. }
This is a web site accepts malcious samples. The site sandbozes and executes the malcious
samples and the sends a PCAP file of communication and a HTML file of activity.
The PCAP is full of Microsoft "noise" that doesn't have to do with the malware analysis.
The objective is to filter out the noise and generate a PCAP without said noise. That
filtered PCAP and the HTML report are subsequently ZIPed and emailed to the malicious file
submitter.
Ah ok, you need a capture filter then? I assume you capture using libpcap.
A quick web search shows the following:
Microsoft Protocols
TCP PORT 139 tcp port 139
UDP PORT 137 udp port 137
UDP PORT 138 udp port 138
UDP PORT 445 udp port 445
SMB dst port 139 && tcp[13:1] & 18 = 2
which would result in
not (tcp port 139 or udp port 137 or udp port 138 or udp port 445)
But if you're interested in the HTTP protocol only, why not filter on that?
That would be: tcp port 80
Hope it helps.