Hi, when you parsing SMB protocol requests you parse SMB_COM_TRANSACTION2 (0x32) command and SMB_COM_TRANSACTION2_SECONDARY (0x33) command as commands that have the equal request parameters structure. But this is mistake. SMB_COM_TRANSACTION2_SECONDARY command have it's own parameters structure: SMB_Parameters { UCHAR WordCount; Words { USHORT TotalParameterCount; USHORT TotalDataCount; USHORT ParameterCount; USHORT ParameterOffset; USHORT ParameterDisplacement; USHORT DataCount; USHORT DataOffset; USHORT DataDisplacement; USHORT FID; } } SMB_Data { USHORT ByteCount; Bytes { UCHAR Pad1[]; UCHAR Trans2_Parameters[ParameterCount]; UCHAR Pad2[]; UCHAR Trans2_Data[DataCount]; } } Detailed here: https://msdn.microsoft.com/en-us/library/ee442192.aspx https://msdn.microsoft.com/en-us/library/ee442105.aspx asked 06 May '17, 04:19 alexweb |
One Answer:
Wrong place to report this; please open a bug report at https://bugs.wireshark.org and attach a PCAP file if you can. Thanks! answered 06 May '17, 04:22 Jasper ♦♦ |