Home page logo
/

wireshark logo Wireshark mailing list archives

Subject: The field called Command Sequence Number in the SMB2 dissector is actually the Message ID
From: "Turney, Cal" <cal.turney () emc com>
Date: Wed, 31 Jul 2013 10:53:17 -0400

Hi Richard,



That confusion has probably caused one of the WAN Accelerator companies to break SMB2 Signing by mishandling that 
field. Not sure which one it is, since the customer hasn't told me whose WAN Accelerator they use. (Hint, it is 
possible for those numbers to be out of order in a TCP stream.)



I agree with changing the label to "SMB2 Message ID" but unless the WAN Accelerator uses Wireshark to decode SMB2 
traffic which seems very unlikely, I don't think the old label would make any difference.  Even if it does use 
Wireshark, it would probably use the 'smb2.seq_num' filter rather than dumping the frame or capture to a text file and 
searching for "SMB2 Message ID".  The latter operation would defeat the purpose of the device because throughput would 
be greatly reduced.



Cheers,

Cal
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
  • Subject: The field called Command Sequence Number in the SMB2 dissector is actually the Message ID Turney, Cal (Aug 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault