Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ethereal or tcpdump filter for WindowsLocSrv

I am busy analyzing the alarm “Windows Locator Service Overflow” with in our network. The signature says that it will trigger when with the following parameters

8 - MinMatchLength = 2000

11 - ServicePorts = 139,445

I would like to see an example of when this alarm has triggererd and then corilate that with the “iplog” capture that has been taken during the same period.

Can anyone on the list tell me what the ethereal or tcpdump filter should look like in order to filter these packets to the display?

Would eth.len > 2000 work?

2 REPLIES
Cisco Employee

Re: ethereal or tcpdump filter for WindowsLocSrv

Is this on a 3.1 sensor?

Community Member

Re: ethereal or tcpdump filter for WindowsLocSrv

it is indeed!

100
Views
1
Helpful
2
Replies
CreatePlease to create content