If you’ve heard about this vulnerability which has been located (and published before it was advised to MSRC – Microsoft Security Response Center) and want to see if there are machines on your network attempting to exploit it, here’s a Network Monitor capture filter to show you the source IP of the attacker or infected PC:
smb.command == 0x72 AND SMB.SMBHeader.Flags.FromServer == 0x0 AND SMB.SMBHeader.PIDHigh != 0x0
Get NetMon 3.3 from here.
And the VERY cool updated NetMon parsers from CodePlex.
The signature for the vulnerability has been published here.