Wireshark · Wireshark-dev: [Wireshark-dev] SMB and lost NBSS streams

Wireshark-dev: [Wireshark-dev] SMB and lost NBSS streams

From: Andrew Leung <anwleung@xxxxxxxxx>

Date: Thu, 08 Nov 2007 13:36:02 -0800

Hi,

I am analyzing SMB traces from CIFS and NetBIOS ports. All packets usethe session layer NBSS protocol to determine application level (SMB)packet boundaries. In some cases we drop packets (heavy I/O periodsusually) and can lose the end of a NBSS stream and the beginning of thenext.

When this happens, wireshark does not know the correct offset in theNBSS stream to look for the next SMB header. As a result, it just passesthe packet to the NBSS handler which just tags it as continuation data,even when there may be a SMB header within the packet, though notdirectly following the TCP header.

I am wondering if anyone else has encountered this (which seems highlylikely if packet loss occurs) and if anyone knows of any good solutions?I have been using a brute for byte by byte search for SMB headers toalleviate the problem, though this solution isn't particularly graceful.


Thanks!
Andrew

Prev by Date: Re: [Wireshark-dev] Alignment warnings - don't ignore them!
Next by Date: Re: [Wireshark-dev] [Wireshark-commits] rev 23395: /trunk/ /trunk/epan/: prefs.c prefs.h /trunk/gtk/: layout_prefs.c toolbar.c
Previous by thread: Re: [Wireshark-dev] Alignment warnings - don't ignore them!
Next by thread: [Wireshark-dev] PortableApps Wireshark feedback
Index(es):
- Date
- Thread