Hi,
just to clarify where I am going on the SMB decode stuff, I have a Perl
script that can take a description file and turn it into code, and it seems
to work OK so far.
One of the big problems I have at the moment, however, is handling SMBs
that are longer than a single segment ...
What you get is:
Segment 1: TCP Header, NEtBIOS Header, SMB Header
Segment 2: TCP Header, continuation ...
Segment 3: TCP Header, continuation ...
....
Segment n: TCP Header, Last part ...
Segment n+1: TCP Header, NeBIOS header etc
I have traces that show this stuff, and Ethereal screw up!
Here is where I think I need the proper stuff that I started adding in the
tftp decode, where I can keep a table of associations (4 tuples, SIP, DIP,
SP, DP) along with other info ...
To properly handle things, however, the TCP decode routines will have to
provide an indication of where in sequence space the segment resides ... So
we can decide whether or not the segment we are dealing with is a NetBIOS
segment or not and contains an SMB or not ...
Hmmm, seems like some problems here!
Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx, NIC-Handle:RJS96
NS Computer Software and Services P/L,
Samba (Team member www.samba.org), Ethereal (Team member www.zing.org) ...
Co-author, SAMS Teach Yourself Samba in 24 Hours
