Hi,
the current SMB decode code, apart from not decoding everything, which I am
working on, also has problems when it sees a NetBIOS continuation.
This is where a NetBIOS message has been split across multiple TCP segments
because the NetBIOS message was larger than MSS.
I tried a simple hack to sort these out, where if the NetBIOS message type
was not one that we understand (0x00, 0x81 to 0x85) then we print NetBIOS
Message Continuation: xxx bytes.
Unfortunately, this is not good enough, as there are too many cases where
the continuation happens to have a recognizable value (usually, 00, for a
NetBIOS message) in the right place ...
My next approach will be to implement a hash table of the NetBIOS messages
we have seen, along with things like the SIP, DIP, SP, DP, SEQ, message
length and see how far that gets me. I will still need some heuristics for
looking at segments because it is possible to capture a session from
somewhere in the middle of a NetBIOS message, even.
Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx, NS Computer Software and Services P/L,
Samba (Team member www.samba.org), Ethereal (Team member www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours
Author, First Australian Linux Course
