Wireshark mailing list archives
Re: Wireshark unable to decode SMB2 IOCTL buffer
From: Bill Meier <wmeier () newsguy com>
Date: Fri, 22 Feb 2013 01:01:56 -0500
On 2/22/2013 12:25 AM, Rupam Paul wrote:
Hi, I have been using wireshark for long time. Recently I found that wireshark is not able to show the buffer field of SMB2 IOCTL packet. I am using wireshark Version 1.8.5 (SVN Rev 47350 from /trunk-1.8). Please let me know how I would be able to see those field which are reflecting as unknown. Thanks, Rupam
The short answer: Find a specification/descripton for those fields. :) For the first 'unknown' field the dissector source says: /* some unknown bytes */ proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA); offset += 4;For the 'unknown' under the "Out Data", the smb2 dissector: has the following comment:
/* dissector not yet implemented */ {0x001440F2, "FSCTL_SRV_COPYCHUNK"}, {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"}, {0x001441bb, "FSCTL_SRV_READ_HASH"}, ...which may mean "info available but not implemented in the dissector" or "info not available so don't know how to dissect".
So: Unless & until someone provides info about the fields and/or a patch to dissect the fields, those fields will remain as "unknown"
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark unable to decode SMB2 IOCTL buffer Rupam Paul (Feb 21)
- Re: Wireshark unable to decode SMB2 IOCTL buffer Bill Meier (Feb 21)