Hello, I stumbled upon a strange packet in a SMB2 conversion. The packets contains 3 Netbios parts, each containing 1 SMB2 part. Looks to me like something Rolf Leutert described in the SMB troubleshooting session at the Sharkfest 2013. The packet is a response to 3 separate commands. When looking at "smb2.seq_num", "smb2.cmd" and "smb2.nt_status" it looks good, Wireshark shows a comma separated list of values: "smb2.seq_num" = "81048,810,49,81050" "smb2.cmd" = "Close,Create,GetInfo" "smb2.nt_status" = "Status_Success,Status_Success,Status_Success" However, looking at "smb2.fid" there is only 1 value, "smb2.fid" = "218dbaea-0000-0000-744b-000000000000" This refers to the second SMB2 part, response to the Create Request. Although this is technically correct I wonder if something like "smb2.fid" = ",218dbaea-0000-0000-744b-000000000000," would make it easier to see to which command sequence number the File ID belongs. Or am I missing something? asked 05 Jan '14, 08:05  dife2013 |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
