This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Save the SMB object list?

If I invoke "File->Export->Objects->SMB", it brings up a pop-up window with a list of SMB objects. Is there a way to save this list? There are "Save..." buttons on the pop-up window, but these save the SMB objects themselves, not the list. I'd like to generate a report for SMB objects similar to the Statistics->HTTP->Requests... menu item.

save export smb

asked 21 Jun '12, 11:49

jhand
1●1●1●2
accept rate: 0%

One Answer:

There is no way to export the list from that GUI element.

HOWEVER, you can try this:

tshark.exe -r smb.cap -R "smb.cmd eq 0xa2 and smb.nt_status eq 0x0 and smb.alloc_size >0" -T fields -e ip.src -e smb.file -e smb.alloc_size

This will output something like this:

192.168.1.100 \\data\\file.dat 2609152
192.168.1.100 \\data\\file.dat 2609152
192.168.1.100 \\data\\test.txt 112
192.168.1.100 \\data\\test.txt 112
192.168.1.100 \\data\\test.txt 112
192.168.1.100 \\data\\test.txt 112

Unfortunately, there are multiple similar lines of output, but you can easily filter that with sort -u (on unix) or similar tools on windows.

If that output is not exactly what you are looking for, the tshark command should at least get you started ;-)

Regards
Kurt

answered 21 Jun '12, 14:21

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 21 Jun '12, 22:32

Hi, I want to save the resulting files with this command, how to register? when i export with wireshark,my file cant be save. wireshark say : "PIPE not implemented 0/0w 0% " " 0bytes " but tshark return the size.

how can I save files with a tshark?

Thank for your return

(10 Sep '12, 01:17) sacabiaire

That tsahrk command was only meant to get a list of the file names, not the files! If you need the files, go to:

File -> Export Objects -> SMB

(10 Sep '12, 04:20) Kurt Knochner ♦