SMB2.0 protocol dissector

Wireshark is still not good enough for dissecting SMB2.0. I saw a lot of "Unknown fields" in the packet captures.
Netmonitor however shows more detailed packet traces for the same.Do use it .
The summary itself gives a lot of info as below:

5 57.848633 192.168.12.32 WINDOWSVISTALAB SMB2 SMB2: R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF0000003D, Mid = 235
6 57.849610 WINDOWSVISTALAB 192.168.12.32 SMB2 SMB2: C CLOSE (0x6), FID=0xFFFFFFFF0000003D, Mid = 236
7 57.999024 192.168.12.32 WINDOWSVISTALAB SMB2 SMB2: R CLOSE (0x6), Mid = 236
8 57.999024 WINDOWSVISTALAB 192.168.12.32 SMB2 SMB2: C CREATE (0x5), Name=F1024K@#8, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 237
9 58.148438 192.168.12.32 WINDOWSVISTALAB SMB2 SMB2: R CREATE (0x5), Context=MxAc, Context=DHnQ, Context=QFid, FID=0xFFFFFFFF00000041, Mid = 237
10 58.149414 WINDOWSVISTALAB 192.168.12.32 SMB2 SMB2: C CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 238
11 58.298828 192.168.12.32 WINDOWSVISTALAB SMB2 SMB2: R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000045, Mid = 238
12 58.298828 WINDOWSVISTALAB 192.168.12.32 SMB2 SMB2: C QUERY DIRECTORY (0xe), FID=0xFFFFFFFF00000045, FileName=F1024K, Mid = 239
More on this later.

Comments

Popular posts from this blog

White water rafting at Dandeli

Melkote : The temple town

You know u're looking for a house when ...