On 2/22/2013 12:25 AM, Rupam Paul wrote:
Hi,
I have been using wireshark for long time. Recently I found that
wireshark is not able to show the buffer field of SMB2 IOCTL packet.
I am using wireshark Version 1.8.5 (SVN Rev 47350 from /trunk-1.8).
Please let me know how I would be able to see those field which are
reflecting as unknown.
Thanks,
Rupam
The short answer: Find a specification/descripton for those fields. :)
For the first 'unknown' field the dissector source says:
/* some unknown bytes */
proto_tree_add_item(tree, hf_smb2_unknown, tvb, offset, 4, ENC_NA);
offset += 4;
For the 'unknown' under the "Out Data", the smb2 dissector: has the
following comment:
/* dissector not yet implemented */
{0x001440F2, "FSCTL_SRV_COPYCHUNK"},
{0x00140078, "FSCTL_SRV_REQUEST_RESUME_KEY"},
{0x001441bb, "FSCTL_SRV_READ_HASH"},
...
which may mean "info available but not implemented in the dissector" or
"info not available so don't know how to dissect".
So: Unless & until someone provides info about the fields and/or a patch
to dissect the fields, those fields will remain as "unknown"