not extracting file transmitted via smb2

antwerp_log · August 15, 2021, 11:43am

Hi everyone

I have a pcap file of a SMB2 file transfer.
tshark can extract the transferred file without any issue.
when running zeek with extract-all-files I do not see the file being extracted.
Moreover, running dump-events on the pcap file, I see no file_new, file_sniff events, only get_file_handle events

any suggestions ?
thanks

Vlad_Grigorescu · August 16, 2021, 11:56am

If you could share the PCAP, I’d be happy to take a look. SMB is our most complex analyzer, it’s not even close, so it’s possible there’s a command/option that’s not being parsed correctly.

Topic		Replies	Views
- extract file from SMB2 Zeek	2	195	May 6, 2022
Extract files from pcap Zeek	2	459	May 9, 2023
Extract Specific File Types (Not All Files) Zeek	4	702	May 11, 2023
Extract All Files from .pcap Zeek	1	407	February 28, 2023
Analysing PCAPNG files from Wireshark traffic captured with Zeek or Spicy Zeek	6	1210	April 11, 2023

not extracting file transmitted via smb2

Related topics