Wireshark-dev: Re: [Wireshark-dev] How can Wireshark improve

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Tue, 22 Apr 2014 11:15:41 -0400
On 04/19/14 15:48, Guy Harris wrote:

On Apr 19, 2014, at 12:24 PM, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:

One think I would like to be able to do is "Show me all the SMB2
requests where the smb2.flags.is_response == true && smb2.nt_status !=
NT_STATUS_SUCCESS"

Presumably you mean "show me all the SMB2 transactions (requests and matching responses) where the response returned an error".

Which, technically, you should be able to do today. The problem is you'd have to use MATE to do it and that's really a pain.

Quick thoughts on how to do it with MATE:

- Create a PDU for SMB messages

- Create a Gop named "smb_transaction" which contains request and the corresponding answer PDUs (I suppose there's some parameter in SMB that allows you to correlate the two); store the nt_status in here (with the "Extra" key word)

- Use a display filter like "smb2.flags.is_response == false && mate.smb_transaction.nt_status != NT_STATUS_SUCCESS"

I really, really, *really* should take some time to clean up the wiki documentation of MATE and provide a lot more examples... Somehow I never find the motivation to tackle that beast...