Wireshark-dev: [Wireshark-dev] SMB and lost NBSS streams
From: Andrew Leung <[email protected]>
Date: Thu, 08 Nov 2007 13:36:02 -0800

I am analyzing SMB traces from CIFS and NetBIOS ports. All packets use the session layer NBSS protocol to determine application level (SMB) packet boundaries. In some cases we drop packets (heavy I/O periods usually) and can lose the end of a NBSS stream and the beginning of the next.
When this happens, wireshark does not know the correct offset in the 
NBSS stream to look for the next SMB header. As a result, it just passes 
the packet to the NBSS handler which just tags it as continuation data, 
even when there may be a SMB header within the packet, though not 
directly following the TCP header.
I am wondering if anyone else has encountered this (which seems highly 
likely if packet loss occurs) and if anyone knows of any good solutions? 
I have been using a brute for byte by byte search for SMB headers to 
alleviate the problem, though this solution isn't particularly graceful.