SMB TCP Stream not saved correctly as C Array

[Shlomi Yaakobovich <shlomiya () yahoo com>]

Hi all,

My first post to this list :-)

I have a packet capture of SMB data, and I view it in Wireshark. I used the Follow TCP Stream option on the connection, 
and got a bunch of data in the newly opened window. However, it seems that the data displayed there is incomplete. In 
some cases the NetBIOS header is missing, in some other cases larger parts of the packet are missing.

For example:
char peer0_1[] = {
0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 
...
But it should actually be:
char peer0_1[] = {
0x00, 0x00, 0x00, 0xdb, 0xff, 0x53, 0x4d, 0x42,
...
The first 4 bytes (NetBIOS header) are missing.



One thing that may be relevant here is that this capture was taken where many TCP retransmissions occurred - you can 
also see that in wireshark itself. I am not sure that the problem happens only in retransmitted packets, but so far all 
the packets I spotted as missing data were retransmitted packets.

I have a Windows 7 64-bit OS, I used Wireshark 1.2.8 for my tests (upgraded to 1.2.0 - no help, 1.4.0 RC2 still no 
luck). I also saw the problem on other Windows XP machines.

I am attaching the pcap to this message (I hope it's allowed, if not please let me know how to give the pcap).

Thanks!
Shlomi

Attachment: SMB_Bad_TCP_Stream.pcap
Description:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe