This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to filter out a specific SMB operation?

0

Hi,

As titled, do we have filed for that? I found there is a specific code number for each operation, but was not able to find that code in Microsoft smb protocol doc. For example, - Session Setup Request (0x01) - SMB2 WRITE Request (0X09) - SMB2 WRITE Request (0X08) - etc..

Is there a field like smb.<field> == <codenumber> we can use for filtering? thanks!

asked 05 Mar '17, 21:39

SteveZhou's gravatar image

SteveZhou
191273034
accept rate: 0%


2 Answers:

2

Try "smb.cmd == codenumber" or "smb2.cmd == codenumber"

and also you can refer to "Display filter expression" dialog and search for "smb" in there to find available expressions:

alt text

answered 05 Mar '17, 22:13

Packet_vlad's gravatar image

Packet_vlad
4361613
accept rate: 20%

edited 05 Mar '17, 22:15

ah, yes, how could I not checking the SMB Header part. thanks!

(08 Mar '17, 18:03) SteveZhou

2

To determine the name of any filter field, locate the field of interest in the packet details pane, click the field and the status bar will indicate the filter field name in parentheses:

answered 06 Mar '17, 09:06

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

thank you!

(08 Mar '17, 18:03) SteveZhou