Wireshark-dev: [Wireshark-dev] The field called Command Sequence Number in the SMB2 dissector i
From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Wed, 31 Jul 2013 06:00:13 -0700
Hi folks,

This patch needs to be applied:

Index: epan/dissectors/packet-smb2.c
===================================================================
--- epan/dissectors/packet-smb2.c	(revision 51065)
+++ epan/dissectors/packet-smb2.c	(working copy)
@@ -7100,8 +7100,8 @@ proto_register_smb2(void)
 		{ "NT Status", "smb2.nt_status", FT_UINT32, BASE_HEX,
 		VALS(NT_errors), 0, "NT Status code", HFILL }},
 	{ &hf_smb2_seqnum,
-		{ "Command Sequence Number", "smb2.seq_num", FT_INT64, BASE_DEC,
-		NULL, 0, "SMB2 Command Sequence Number", HFILL }},
+		{ "Message ID", "smb2.msg_id", FT_INT64, BASE_DEC,
+		NULL, 0, "SMB2 Messsage ID", HFILL }},
 	{ &hf_smb2_tid,
 		{ "Tree Id", "smb2.tid", FT_UINT32, BASE_HEX,
 		NULL, 0, "SMB2 Tree Id", HFILL }},

See section 2.2.1.1. The field is called the Message ID, not the
Command Sequence Number.

That confusion has probably caused one of the WAN Accelerator
companies to break SMB2 Signing by mishandling that field. Not sure
which one it is, since the customer hasn't told me whose WAN
Accelerator they use. (Hint, it is possible for those numbers to be
out of order in a TCP stream.)

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)