locked
SMB Charts from truncated frames RRS feed

  • Question

  • Hi,

    I can't seem to get MA 1.3.1 to draw the SMB charts for captures files created with Netmon when the frames are trimmed with the MaxFrameLength switch.

    For example, with a MaxFrameLength of 800 I can't get the SMB charts to draw. If I do the capture without the MaxFrameLength switch the SMB charts work fine.

    Thanks,

    -Wes

    Tuesday, November 3, 2015 8:03 PM

Answers

  • After doing some research and testing, I understand now this is because SMB message don't always start at the beginning of a TCP fragment.  What this means, is that sometimes the SMB message could be at an offset outside the range of the truncated message.  So assuming you are seeing the same issue, you'll notice that when you filter on SMB2.Read in the Analysis Grid, you see that the offsets jump, rather than being consistent for when you don't use truncation to capture.

    Another approach is to use the SMB Client trace scenarios (File->New Session->Live Trace), and then choose SMB Client Header Only, assuming you are capturing from the client.  There is also a Server side component if you want to use that instead.  This captures the data directly from the SMB component, so there won't be any TCP stack showing, which makes the issue go away because all SMB messages are shown.

    Hope this helps,

    Paul

    • Marked as answer by Paul E Long Friday, November 13, 2015 5:58 PM
    Friday, November 13, 2015 5:58 PM