Want a way to extract SMB packets from a crash dump
Sometimes when we get a crash dump in the SMB service, we'd like to be able to use a packet dissector like wireshark to examine the SMB request we were working on at the time we crashed. A new sub-function of the smbsrv mdb module could do this.
This extends the
::smbreq_dump dcmd of the smbsrv mdb module with a new "-o" option that can be used to dump the contents of SMB requests to a "pcap" file. The outputs via the "-o" option append so one can run
::smbreq_dump -o outfile.pcap via a walker to collect several packets in the output.pcap file. These packets are not generally in the order or exact form they had on the network, but this provides a nice way to dissect an SMB request (i.e. the one we were working on when we panicked).
Updated by Electric Monk 9 months ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit 764c8bd85562491d470a20cc0353ca8b79069361 Author: Gordon Ross <email@example.com> Date: 2019-05-18T23:45:48.000Z 10962 Want a way to extract SMB packets from a crash dump Reviewed by: Dan Fields <firstname.lastname@example.org> Reviewed by: Kevin Crowe <email@example.com> Approved by: Joshua M. Clulow <firstname.lastname@example.org>