Wireshark-dev: [Wireshark-dev] SMB and lost NBSS streams

From: Andrew Leung <anwleung@xxxxxxxxx>
Date: Thu, 08 Nov 2007 13:36:02 -0800
Hi,

I am analyzing SMB traces from CIFS and NetBIOS ports. All packets use the session layer NBSS protocol to determine application level (SMB) packet boundaries. In some cases we drop packets (heavy I/O periods usually) and can lose the end of a NBSS stream and the beginning of the next.

When this happens, wireshark does not know the correct offset in the NBSS stream to look for the next SMB header. As a result, it just passes the packet to the NBSS handler which just tags it as continuation data, even when there may be a SMB header within the packet, though not directly following the TCP header.

I am wondering if anyone else has encountered this (which seems highly likely if packet loss occurs) and if anyone knows of any good solutions? I have been using a brute for byte by byte search for SMB headers to alleviate the problem, though this solution isn't particularly graceful.

Thanks!
Andrew