Parse SMB over QUIC packets

asked 2020-09-02 12:06:07 +0000

updated 2020-09-04 10:49:06 +0000

I instead of the marked raw stream data, i want smb detailed data.

capture:

https://easyupload.io/xglumm cant upload files so download from this link

a method which could be possible is creating a dissector\lua script or expending smb \ quic dissectors to be able to parse those packets

anyone know how can I do this? or if you have anything similier that does that? I want to know where to start from

edit retag flag offensive close merge delete

Comments

There is a long running bug/issue to extend the QUIC dissector. Maybe ask there?
(This article seems to be referenced often for SMB and QUIC background)

Chuckc ( 2020-09-03 05:53:27 +0000 )edit

@Chuckc but there is a dissector for QUIC, you it does decrypt and filter the data, It just will not parse the stream data (the same like RPC over SMB) , so how can I get that? the bug is working on that issue?

user_name ( 2020-09-03 06:17:03 +0000 )edit

Facebook QUIC was split out into it's own issue.
I have asked on the original QUIC issue if that should be the case for SMB as well.

Check the comments at end of issue 13881.
Can you provide a sample capture and the info to decrypt?

Chuckc ( 2020-09-03 15:16:31 +0000 )edit

Merge Request 123 has been merged.
SMB decode now available.

Tested with /download/automated/win64.
Version 3.3.0rc0-2043-g25d10e68a896 (v3.3.0rc0-2043-g25d10e68a896)

Chuckc ( 2020-09-14 13:59:50 +0000 )edit

add a comment

Comments

I'll follow along with the merge request as a tutorial. :-)

Chuckc ( 2020-09-04 16:10:31 +0000 )edit

@Alexis La Goutte already has a MR 123 but I don't think it's correct as he's simply discarding the NetBIOS Session Service header.

grahamb ( 2020-09-04 16:14:52 +0000 )edit

the commit that @Alexis La Goutte pushed is sufficient for this problem? it will now parse the raw data? or there are still things to check? I see it is merged so whats the results now ?

user_name ( 2020-09-06 09:51:13 +0000 )edit

It may work, I haven't checked with your capture, but I think it's wrong as it simply discards the NetBIOS Session Service header. I shall try to create another change to add in the parsing of the NBSS header.

FWIW, this change is not available in a stable release only in an automated build from the automated downloads area of the Wireshark website. Choose the most recent 3.3.0-rc build.

grahamb ( 2020-09-06 11:04:09 +0000 )edit

your change will appear in the automated build as well ? if you are already working on it, maybe you can confirm? I never used the automated build before, it the same as to running the project from git and creating execute file?

user_name ( 2020-09-06 14:52:10 +0000 )edit

see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Parse SMB over QUIC packets

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Parse SMB over QUIC packets edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Parse SMB over QUIC packets