Ask Your Question
0

smb2.olb.length == 0 returns any blob length

asked 2023-09-18 14:59:09 +0000

jwmasek gravatar image

Trying to filter out smb2 create requests that have an empty value ((smb2.cmd == 5) && (smb2.flags.response == 0) && !(smb2.olb.length == 0)) and with !(smb2.olb.length == 0) it returns nothing. If I search (smb2.olb.length == 0) instead it returns everything that (smb2.cmd == 5) && (smb2.flags.response == 0) returns. If I change the length to anything other than 0, I get only packets with a blob length of that value, so it otherwise works as expected.

Is this expected behavior? I tried anding the value against 0x1111 and checking if it equaled 0x0000, which yielded the same results as just checking if it equaled 0. Same with checking if it's greater than 0.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2023-09-18 15:17:23 +0000

Chuckc gravatar image

!(smb2.olb.length == 0 matches frames that don't include the field smb2.olb.length.

What about smb2.olb.length and not (smb2.olb.length == 0) ?

or smb2.olb.length != 0 ?

Display filters are "evolving" with every/most/some? releases.
What’s New In Wireshark 4.0? and Building Display Filter Expressions

edit flag offensive delete link more

Comments

Neither of these work; implementing either returns zero packets.

Also, the previous two components (filtering by create requests) ensure that each packet returned will have an smb2.olb.length anyways.

I discovered where the failure happens after testing with what was provided, however. SMB2 create requests have multiple Blob Offset values identified, but the display filter for SMB2 does not differentiate between them. This seems to be a limitation of the SMB2 display filter.

Luckily, it appears that smb2.filename is valid, so using a !(smb2.filename == "") works for my purposes.

jwmasek gravatar imagejwmasek ( 2023-09-18 15:56:45 +0000 )edit

Not sure what version of Wireshark you're using (can you update the question with wireshark -v).
The What’s New In Wireshark 4.0? blog post describes ways to filter when multiple occurrences of a field exist in a packet.

Chuckc gravatar imageChuckc ( 2023-09-18 17:35:01 +0000 )edit

If there are multiple occurrences of smb2.olb.length in a packet and you want to see all packets where at least one of these occurrences has a non-zero value, you can use the filter smb2.olb.length !== 0 (or smb2.olb.length != 0 in Wireshark up to version 3.4.x and smb2.olb.length ~= 0 in Wireshark version 3.6.x)

So, assuming you're using version 4.0.x, you can use the filter: smb2.cmd == 5 && smb2.flags.response == 0 && smb2.olb.length !== 0

SYN-bit gravatar imageSYN-bit ( 2023-09-24 06:09:45 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-09-18 14:59:09 +0000

Seen: 135 times

Last updated: Sep 18 '23

Related questions

display filtering and sll?

many to many comparision [display private networks as example]

ip.flags.sf not supported?

Is it possible to filter to ignore capture before and after a particular time stamps?

Why are ranges not possible in display filter frame.number?

Wireshark shows SMB path and File name in 8.3 file format, but only from time to time?

How can I filter on SMB2 Oplock related messages for a specific filename?

Filter only within displayed packets (without re-analyzing entire file)

I cannot enter a filter for tcp port 61883. What is so special about this number?

tshark smtp filter decode.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2