On Sat, Apr 19, 2014 at 12:48 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Apr 19, 2014, at 12:24 PM, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
>
>> One think I would like to be able to do is "Show me all the SMB2
>> requests where the smb2.flags.is_response == true && smb2.nt_status !=
>> NT_STATUS_SUCCESS"
>
> Presumably you mean "show me all the SMB2 transactions (requests and matching responses) where the
> response returned an error".
Yes, although that was just an example. In other cases I would like to
see all the SMB Creates where the requested access == 0x120196 or
whatever ...
> There's now a mechanism to, when saving filtered packets, save "related" packets. I think this was introduced to
> allow the earlier fragments/segments of a reassembled packet to be saved, along with the final packet that
> matched the filter, but in at least some cases somebody might want to save the requests corresponding to
> replies that match the filter.
Yeah, but then I want to be able to step through each of the packets
found and look at the one before or after, so I am continually hitting
clear and apply and so fort. It gets to be a pain, so then I thought
of the concept of having a search results pane that when you click on
one of the search results syncs the main pane so you can move around
and inspect more etc.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)