Wireshark can export SMB objects.
This feature is inplemented in Wireshark in version 1.6.0.
You can download the latest stable release of Wireshark here.
Download the sample file, export-objects-smb_01.pcap, here and continue reading to learn more about exporting smb objects.
Note
You can also export SMB objects during live capture.
Reassemble TCP streams
Open de file export-objects-smb_01.pcap.
You cannot export SMB objects, if "Allow subdissector to reassemble TCP streams" is not selected.
Here is a way to check this:
• right-click Transmission Control Protocol in the Packet Details pane
• go to Protocol Preferences
• select "Allow subdissector to reassemble TCP streams"
Export SMB objects
To open the "Wireshark: SMB object list" go to:
File | Export | Objects | SMB
SMB object list
This SMB object list shows the following information:
Packet num
The number of the packet in which the data was found.
Hostname
The name of the server and the path of the folder.
Content Type
This field shows the type of the file and how much of the file actually was captured. It also shows you if the file was captured in read or in write operations:
mode R and/or W (Read and/or Write)
Bytes
The size of the object in bytes.
Filename
The name of the file.
Note
Use the display filter: smb.file_data and the packets, that contain the data are displayed: in this file the packets 36, 79, 139 and 186.
Save files
Select a file and hit the "Save As" button to save a single file.
Hit the "Save All" button, if you want to save all files at once.
Read more
The white paper: A tool for capturing SMB files with Wireshark by David Perez & Jose Pico is freely available.
The white paper describes the plug-in they have created, the identifying of the SMB streams and gives an explanation of the columns in the "Wireshark: Export SMB object list"
You can also watch Tony Fortunato's video about exporting SMB Objects.
Author Profile - My name is Joke (pronounced \yo-kə\ or Joan for those who do not speak Dutch). During the day, I work as a secretary for a non-profit organization providing assisted living for mentally handicapped people in the south of The Netherlands. In my spare time I like to use Wireshark. I find it interesting and necessary to monitor my home network to see what is going on. As a user I like to answer questions at the Wireshark Mailing List or Ask Wireshark.
What is in it for me? Well, I learn a great deal whenever I try to solve real-world problems. I am also a member of the NGN (the Dutch Network User's Group). I write articles about how to use Wireshark and the command line tools. And if there is still some spare time left, I like to go biking in the woods near my hometown with my husband and fellow geek.
Recent Comments