On 04/19/14 15:48, Guy Harris wrote:
On Apr 19, 2014, at 12:24 PM, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
One think I would like to be able to do is "Show me all the SMB2
requests where the smb2.flags.is_response == true && smb2.nt_status !=
NT_STATUS_SUCCESS"
Presumably you mean "show me all the SMB2 transactions (requests and matching responses) where the response returned an error".
Which, technically, you should be able to do today. The problem is
you'd have to use MATE to do it and that's really a pain.
Quick thoughts on how to do it with MATE:
- Create a PDU for SMB messages
- Create a Gop named "smb_transaction" which contains request and the
corresponding answer PDUs (I suppose there's some parameter in SMB that
allows you to correlate the two); store the nt_status in here (with the
"Extra" key word)
- Use a display filter like "smb2.flags.is_response == false &&
mate.smb_transaction.nt_status != NT_STATUS_SUCCESS"
I really, really, *really* should take some time to clean up the wiki
documentation of MATE and provide a lot more examples... Somehow I
never find the motivation to tackle that beast...