Ask Your Question
0

SMB packet cannot be properly decoded

asked 2023-03-29 12:02:46 +0000

uniform64 gravatar image

I use wireshark to capture SMB packets with custom port(44555) due to port forwarding. Since such SMB packets cannot be directly recognized, I then use Decode As function to set packets with tcp port 44555 as NBSS packets. After the setting, most SMB packets are correctly decoded instead of TCP payload. However, there are still some packets shown as TCP payload. image description

As shown in the screenshot above, packet 1078 is obviously an SMB packet and not properly decoded.

What should I configure in Wireshark so that such packets can be properly decoded?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-03-29 13:14:23 +0000

Chuckc gravatar image

For the sample capture smb2_dac_sample.pcap.gz(https://wiki.wireshark.org/SMB2#Examp...) with Wireshark Version 4.0.4 (v4.0.4-0-gea14d468d9ca), it decodes better if the TCP protocol preference Try heuristic sub-dissectors first is disabled/unchecked.

edit flag offensive delete link more

Comments

Actually the Try heuristic sub-dissectors first was already disabled on Wireshark v4.0.3. Seems it doesn't help.

uniform64 gravatar imageuniform64 ( 2023-03-31 08:40:40 +0000 )edit

Can you share a capture file on a public file share and update the question with a link to it?

Chuckc gravatar imageChuckc ( 2023-03-31 14:12:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-03-29 12:02:46 +0000

Seen: 740 times

Last updated: Mar 29 '23