Hi folks, So, in Samba bug https://bugzilla.samba.org/show_bug.cgi?id=8989 you will find two captures relating to the handling of NT TRANSACT SET SECURITY DESCRIPTOR.
Wireshark does not handle the dissection of these correctly, and I suspect, normal SMB TRANSACT and SMB TRANSACT2 requests/responses. In dissect_smb, in the code for a normal bidirectional request or response we lookup, using g_hash_table_lookup, the sip for the pid_mid for the current frame. However, we look it up in the unmatched requests. By the time we see a secondary, the original request with that pid_mid is no longer unmatched, so we have a null sip. Later, when we call smb_trans_defragment on the secondary (so we can give this fragment to the original request), we do not have a sip, so we do nothing. It seems that in dissect_smb, if the request is an XXX_SECONDARY, we should look up the sip in the matched packets not the unmatched packets. What say ye? I will give that a try to see if I can make progress. -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
