["John Walsh" <johnwalshnewsgroup@xxxxxxxxx>]

That works great. Thanks!

On Sat, Nov 22, 2008 at 12:23 AM, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:

On Sat, Nov 22, 2008 at 9:11 AM, John Walsh
<johnwalshnewsgroup@xxxxxxxxx> wrote:
> Greetings,
>
> I'm a new user to wireshark. It rocks.
>
> I'm working with an open source CMS (Alfresco) that provides a SMB
> interface. We have it configured to listen to port 1445 instead of 445. We
> handle the port forwarding to get the traffic to 1445.
>
> I'm using dumpcap to capture edump files on the server for later examination
> on a development box. When I select Analyze -> Decode As, click
> the Transport tab of the Decode As dialog, and select source (1445) as the
> TCP setting, SMB isn't one of the choices in the protocol list. Should it
> be? Can I do something to make it appear? How should I tell wireshark to
> treat 1445 traffic as SMB?

You cant use decode as and select SMB since in wireshark SMB does not
run ontop of TCP and you van only DecodeAs in this regard for
protocols that run immediately ontop of the TCP layer.
In wireshark SMB runs ontop of NBSS which runs ontop of SMB.

(well, this si correct at least for SMB on port 139.  SMB over 445
does not technically use NBSS but uses a different encapsulation
protocol that for all intents and purposes looks identical to NBSS,
which is why wireshark shows TCP->NBSS->SMB even for tcp port 445
even if it is technically not correct).


Thus:   use DecodeAs   and specify NBSS  and it should work.



>
> Thanks!
>
> John Walsh

>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users