Re: Wireshark unable to decode SMB2 IOCTL buffer

[Bill Meier <wmeier () newsguy com>]

On 2/22/2013 12:25 AM, Rupam Paul wrote:
> Hi,
>
> I have been using wireshark for long time. Recently I found that
> wireshark is not able to show the buffer field of SMB2 IOCTL packet.
>
> I am using wireshark Version 1.8.5 (SVN Rev 47350 from /trunk-1.8).
> Please let me know how I would be able to see those field which are
> reflecting as unknown.
>
> Thanks,
>
> Rupam


The short answer: Find a specification/descripton for those fields.   :)


For the first 'unknown' field the dissector source says:

        /* some unknown bytes */
        proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
        offset += 4;


For the 'unknown' under the "Out Data", the smb2 dissector: has the 
following comment:

  /* dissector not yet implemented */
  {0x001440F2, "FSCTL_SRV_COPYCHUNK"},
  {0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
  {0x001441bb, "FSCTL_SRV_READ_HASH"},
  ...

which may mean "info available but not implemented in the dissector" or 
"info not available so don't know how to dissect".

So: Unless & until someone provides info about the fields and/or a patch 
to dissect the fields, those fields will remain as "unknown"


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe