This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

smb2.filename wildcard filter

0

I have a complex folder structure that gets copied via SMB2 by a custom application that has a very limited logging functionality. The transfer seems to be breaking somewhere in the middle and I suspect one of the file or folder names to be the problem.

Is there a way to specify a wildcard in the filter that would show only packets that have a value in the filename filed ?

As a workaround I added Filename as a column and set up a filter for smb.create_options == 0x00200021, which does the trick, I am just wondering what I am doing wrong when I use the following filter?

smb2.filename matches "C_\\SHARENAME\\SAMPLEFOLDER\\SUBFOLDER\\$"

asked 09 Sep '14, 13:14

net_tech's gravatar image

net_tech
116303337
accept rate: 13%

edited 09 Sep '14, 13:16


One Answer:

1

I think "matches" is the regex version, maybe using "contains" helps?

answered 09 Sep '14, 13:19

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

both matches and contains seem to work, but once I get to the 1st slash and reapply the filter no packets are displayed

smb2.filename matches "C_"

(09 Sep '14, 13:40) net_tech

I guess it has to do with regex using some characters as special commands. You'd have to check regex syntax to see what the slashes mean.

(09 Sep '14, 13:43) Jasper ♦♦