This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How is the “guid handle file” set in SMB2 dissector with multiple netbios parts?

0

Hello,

I stumbled upon a strange packet in a SMB2 conversion. The packets contains 3 Netbios parts, each containing 1 SMB2 part. Looks to me like something Rolf Leutert described in the SMB troubleshooting session at the Sharkfest 2013. The packet is a response to 3 separate commands. When looking at "smb2.seq_num", "smb2.cmd" and "smb2.nt_status" it looks good, Wireshark shows a comma separated list of values: "smb2.seq_num" = "81048,810,49,81050" "smb2.cmd" = "Close,Create,GetInfo" "smb2.nt_status" = "Status_Success,Status_Success,Status_Success"

However, looking at "smb2.fid" there is only 1 value, "smb2.fid" = "218dbaea-0000-0000-744b-000000000000" This refers to the second SMB2 part, response to the Create Request. Although this is technically correct I wonder if something like "smb2.fid" = ",218dbaea-0000-0000-744b-000000000000," would make it easier to see to which command sequence number the File ID belongs. Or am I missing something?

asked 05 Jan '14, 08:05

dife2013's gravatar image

dife2013
1111
accept rate: 0%