SMB analyzer

Hi, sorry to bother you again.

Today I am looking at the SMB Analyzer, and I have few questions.
-Why did you choose to anlayse the SNIA-CIFS version, and not the others ? (http://www.cifs.org/wiki/SMB/CIFS_References). Some of them have new dialects and don't match anymore :s . (I know, the SMB documentation is a real mess.. ).

-Some events are not well written into the event.bif :
For instance, the smb_com_negotiate event is build with 3 arguments

  336 vl->append(analyzer->BuildConnVal());
  337 vl->append(BuildHeaderVal(hdr));
  338 vl->append(t); // which are the possible dialects
  339
  340 analyzer->ConnectionEvent(smb_com_negotiate, vl);

But in the event.bif the event is declared as follow without the last argument:
3851 event smb_com_negotiate%(c: connection, hdr: smb_hdr%);

-If I would add some parts of an other dialect, how should I implement it ? Add a dialect field in the SMB_session, and duplicate binpac if the protocols are different?

Nicolas

Today I am looking at the SMB Analyzer, and I have few questions.
-Why did you choose to anlayse the SNIA-CIFS version, and not the others
? (http://www.cifs.org/wiki/SMB/CIFS_References). Some of them have new
dialects and don't match anymore :s . (I know, the SMB documentation is
a real mess.. ).

Why do you say that we are implementing the SNIA-CIFS version?

-Some events are not well written into the event.bif :
For instance, the smb_com_negotiate event is build with 3 arguments

What's in the release is not where the current development is. The current version of the development is in the topic/seth/smb-smb2-work branch.

  .Seth

Today I am looking at the SMB Analyzer, and I have few questions.
-Why did you choose to anlayse the SNIA-CIFS version, and not the others
? (http://www.cifs.org/wiki/SMB/CIFS_References). Some of them have new
dialects and don't match anymore :s . (I know, the SMB documentation is
a real mess.. ).

Why do you say that we are implementing the SNIA-CIFS version?

Because the version is given in the SMB.h file. Also, I have started to compare the SNIA documentation with the binpac code, and I confirm the SNIA version.

-Some events are not well written into the event.bif :
For instance, the smb_com_negotiate event is build with 3 arguments

What's in the release is not where the current development is. The current version of the development is in the topic/seth/smb-smb2-work branch.

ho.. so someone is still working on it? It has changed a lot, I will look closer at this branch.
It will be merged for the next release?

Nicolas

I've been working on it for a while, but I've been delayed lately so that we could integrate the SMB analyzer with the upcoming file analysis framework.

It's not going to be ready for the next release, but it's still planned for future release.

  .Seth