Wireshark-users: [Wireshark-users] SMB TCP Stream not saved correctly as C Array
From: Shlomi Yaakobovich <shlomiya@xxxxxxxxx>
Date: Thu, 19 Aug 2010 10:29:58 -0700 (PDT)
Hi all,

My first post to this list :-)

I have a packet capture of SMB data, and I view it in Wireshark. I used the Follow TCP Stream option on the connection, and got a bunch of data in the newly opened window. However, it seems that the data displayed there is incomplete. In some cases the NetBIOS header is missing, in some other cases larger parts of the packet are missing.

For example:
char peer0_1[] = {
0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 
...
But it should actually be:
char peer0_1[] = {
0x00, 0x00, 0x00, 0xdb, 0xff, 0x53, 0x4d, 0x42,
...
The first 4 bytes (NetBIOS header) are missing.



One thing that may be relevant here is that this capture was taken where many TCP retransmissions occurred - you can also see that in wireshark itself. I am not sure that the problem happens only in retransmitted packets, but so far all the packets I spotted as missing data were retransmitted packets.

I have a Windows 7 64-bit OS, I used Wireshark 1.2.8 for my tests (upgraded to 1.2.0 - no help, 1.4.0 RC2 still no luck). I also saw the problem on other Windows XP machines.

I am attaching the pcap to this message (I hope it's allowed, if not please let me know how to give the pcap).

Thanks!
Shlomi
 


      

Attachment: SMB_Bad_TCP_Stream.pcap
Description: Binary data