Hi folks,
So, in Samba bug https://bugzilla.samba.org/show_bug.cgi?id=8989 you
will find two captures relating to the handling of NT TRANSACT SET
SECURITY DESCRIPTOR.
Wireshark does not handle the dissection of these correctly, and I
suspect, normal SMB TRANSACT and SMB TRANSACT2 requests/responses.
In dissect_smb, in the code for a normal bidirectional request or
response we lookup, using g_hash_table_lookup, the sip for the pid_mid
for the current frame. However, we look it up in the unmatched
requests.
By the time we see a secondary, the original request with that pid_mid
is no longer unmatched, so we have a null sip. Later, when we call
smb_trans_defragment on the secondary (so we can give this fragment to
the original request), we do not have a sip, so we do nothing.
It seems that in dissect_smb, if the request is an XXX_SECONDARY, we
should look up the sip in the matched packets not the unmatched
packets.
What say ye?
I will give that a try to see if I can make progress.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)