I'm on CentOS.
I'm analyzing some SMB traffic. I'd like to find TCP streams related to certain paths. These paths are of the form: \\server_name\Share_Name\folder.
I've tried tshark -r file.pcap -Y 'frame contains "\\server_name\Share_Name\folder"' also with smb2 contains and escaping the backslash like "\\\\server_name\\Share_Name\\folder
What is the proper way to do it?
Are the share names encoded as WCHAR (for Unicode characters)?
0070 00 00 5c 00 5c 00 31 00 39 00 32 00 2e 00 31 00 ..\.\.1.9.2...1. 0080 36 00 38 00 2e 00 31 00 31 00 34 00 2e 00 31 00 6.8...1.1.4...1. 0090 32 00 39 00 5c 00 54 00 45 00 53 00 54 00 00 00 2.9.\.T.E.S.T...
Check smb.flags2.string - 1... .... .... .... = Unicode Strings: Strings are Unicode
If unicode, then each character in the filter will need a \0 in front. \0f\0o\0l\0d\0e\0r or
you can filter on the smb.path field - smb.path == "\\\\192.168.114.129\\TEST"
I infer from the original poster's smb2 contains example that this is SMB2 or SMB3, in which case 1) all paths are UTF-16-encoded Unicode and 2) smb.path won't work.
They'd have to try smb2.filename instead of smb.path, but there might be other fields that contain paths (just as SMB1 might have fields other than smb.path that contain paths).
However, they also need to note that the \\server_name\Share_Name parth does not appear in SMB requests or replies. server_name isn't needed in SMB, as the destination address of the request or source address of the reply identifies the server, and share_name is indicated by the tree ID field in the request, returned when the given share is connected to with a Tree Connect request.
Asked: 2023-01-02 20:50:25 +0000
Seen: 603 times
Last updated: Jan 02 '23
