Re: How can Wireshark improve

[Jeff Morriss <jeff.morriss.ws () gmail com>]

On 04/19/14 15:48, Guy Harris wrote:
> On Apr 19, 2014, at 12:24 PM, Richard Sharpe <realrichardsharpe () gmail com> wrote:
>
> > One think I would like to be able to do is "Show me all the SMB2
> > requests where the smb2.flags.is_response == true && smb2.nt_status !=
> > NT_STATUS_SUCCESS"
>
> Presumably you mean "show me all the SMB2 transactions (requests and matching responses) where the response returned an 
> error".

Which, technically, you should be able to do today.  The problem is 
you'd have to use MATE to do it and that's really a pain.

Quick thoughts on how to do it with MATE:

- Create a PDU for SMB messages

- Create a Gop named "smb_transaction" which contains request and the 
corresponding answer PDUs (I suppose there's some parameter in SMB that 
allows you to correlate the two); store the nt_status in here (with the 
"Extra" key word)

- Use a display filter like "smb2.flags.is_response == false && 
mate.smb_transaction.nt_status != NT_STATUS_SUCCESS"

I really, really, *really* should take some time to clean up the wiki 
documentation of MATE and provide a lot more examples...  Somehow I 
never find the motivation to tackle that beast...

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe