Re: Wireshark and tshark show different data for the smb.file field for certain files

[Evan Huus <eapache () gmail com>]

If wireshark is 1.8 and tshark is 1.10 then all bets are off. I don't
have anything exhibiting this, but my bet is that Wireshark 1.10 has
the same problematic behaviour.

Evan

On Wed, Jun 12, 2013 at 4:04 PM, Richard Sharpe
<realrichardsharpe () gmail com> wrote:
> Hi folks,
>
> I have a capture file with some weird file names in SMB requests.
> Wireshark shows them as this:
>
> \\somewhere\\eng\\Project\\HZX - City of
> SomePlace\\xxxxyyyyzzz\\Planning-study\\Reports\\UNC\\somecmpy.com\\csfile\\eng\\Project\\HZX
> - City of SomePlace\\xxxxyyyyzzz
>
> This appears to be correct because I see that same data in the data pane.
>
> However, tshark shows this:
>
> \\somewhere\\eng\\Project\\HZX - City of
> SomePlace\\xxxxyyyyzzz\\Planning-study\\Reports\\UNC
>
> Now, there are longer file paths that tshark shows, so it is not
> truncating. it seems to object to the component after the UNC string
> and stops there.
>
> Has anyone seen this?
>
> Wireshark version 1.8.6. tshark version 1.10.0 (Copyright 1998-2013)
>
> --
> Regards,
> Richard Sharpe
> (何以解憂？唯有杜康。--曹操)
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe