Ask Your Question
0

Analyze filter smb2.cmd == 9 && smb2.filename contains "fname" shows no results

asked 2020-08-27 20:23:40 +0000

keg415 gravatar image

updated 2020-08-27 21:20:25 +0000

Eddi gravatar image

Analyzing a file of captured packets with the filter:

smb2.cmd == 9

displays many write command packets, some with filenames containing "Favorites"; similarly, the filter:

smb2.filename contains "Favorites"

displays packets. But filtering for smb2 write command packets with specific filenames, e.g. with the filter:

smb2.cmd == 9 && smb2.filename contains "Favorites"

displays no packets.

I just starting using Wireshark -- what am I doing wrong?

Thanks.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-08-27 20:47:39 +0000

Chuckc gravatar image

updated 2020-08-27 20:48:31 +0000

smb2.cmd==9 - Command: Write (9)

What do you get with smb2.cmd==9 && smb2.filename
That would display any packets that are SMB2 Writes and have a smb2.filename field.

Sample file smb2-peter.pcap on the Wireshark Wiki might be a good starting point if you want to explore a common file. Example of filtering on specific command (Create) and filename string.

smb2.cmd==5 && smb2.filename contains "txt"
edit flag offensive delete link more

Comments

smb2.cmd==9 && smb2.filename

shows 29 packets, but they don't look correctly formatted, e.g.:

242486  471.275337  192.168.1.11    192.168.1.10    SMB2    694 Write Request Len:1048576 Off:4194304 File: Pictures\Lightroom\Catalogs\CrashTestDummy\CrashTestDummy.lrcat-walCreate Request File: Pictures\Slideshows\Screen Saver Photos

Both a Write and Create request are shown in the same entry.

smb2.cmd==9 && smb2.filename contains "lrcat"

shows no packets.

smb2.cmd==9 && smb2.filename contains "Photos"

shows 5 packets, including #242486 above.

keg415 gravatar imagekeg415 ( 2020-08-27 21:48:33 +0000 )edit

Similar problem on smb2-peter.pcap: smb2.cmd == 9 shows 34 packets but smb2.cmd == 9 && smb2.filename contains "txt" shows no packets.

keg415 gravatar imagekeg415 ( 2020-08-27 21:59:53 +0000 )edit

Your capture has packets with more than one SMB2 PDU ?

smb2.flags.chained==1

Adding a column for smb2.cmd will make this easier to see.
If that's the case then we can work on a filter.

Note: May bump up against not being able to filter on specific occurrence

Chuckc gravatar imageChuckc ( 2020-08-27 22:27:12 +0000 )edit

OK, not being able to filter on a specific occurrence explains the problem. So if I want to filter on commands that do not contain filenames, I need to first lookup the filename's fid and filter on that, e.g.:

smb2.cmd == 9 && smb2.fid == 578b565f-0000-0000-71ef-756100000000

which works. If there's a shortcut for doing this, please point me to the documentation.

Thanks!

keg415 gravatar imagekeg415 ( 2020-08-27 23:51:19 +0000 )edit

It's doable with tshark - with multiple passes to get the fid then filter on it, or by filtering on _ws.col.info

There have been requests to filter on the Info column in Wireshark. There is an open enhancement request/issue to support this.

Chuckc gravatar imageChuckc ( 2020-08-28 01:04:06 +0000 )edit
0

answered 2020-08-27 21:38:59 +0000

Jaap gravatar image

The filename is not in the write command packets, a GUID is present, which can be mapped to a file name. This is what the dissector shows you, this mapping which it picked up in other SMB2 packets. If you look at the GUID in the write command packet you'll see a link added to where the file was opened. This in turn is a response to a create request and that is the packet containing the filename.

edit flag offensive delete link more

Comments

Understood, but I thought Wireshark would figure this out to enable filtering on the filename anyway.

keg415 gravatar imagekeg415 ( 2020-08-27 22:04:56 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-08-27 20:23:40 +0000

Seen: 119 times

Last updated: Aug 27