Wireshark-dev: Re: [Wireshark-dev] [Wireshark-users] Decode As dialog doesn't offer SMB
From: Bill Meier <[email protected]>
Date: Sat, 22 Nov 2008 00:33:43 -0500
John Walsh has asked how to configure Wireshark to treat traffic on port
1445 the same as traffic on port 445 (For example: "CIFS" aka SMB over TCP).
(see http://www.wireshark.org/lists/wireshark-users/200811/msg00167.html)

I've replied that this is currently not possible.

Looking at the code:

Wireshark registers TCP port 445 as (what I'll call) a "null" variant of
Netbios Session Service.

(The "null" variant is just a 4 byte framing header).

SMB/SMB2 are then considered be two possible protocols running over NBSS
(either the normal NBSS or the "null" version"). (

The code is written such that *only* traffic seen on port 445 will be
treated as the 4 byte framing header followed by a protocol such as
SMB/SMB2/MQ. Using NBSS for "decode as" will not work).

One approach to allowing the use of "decode-as" for the variant
registered to tcp port 445:

In packet-nbns.c

   Register a new protocol:
     Call it ??? (microsoft-ds ???)
   Change the code so that there is a dissect_nbss and a dissect_???
   The first calls the common main nbss code with an argument
   is_cifs as FALSE; the second with an argument is_cifs = TRUE.

   I believe the above would then allow a port other than 445 to
   be dissected the same as port 445 (via decode-as for
   the ??? protocol).

   Will using this be confusing to those not familiar with the exact
   details of the protocol layering ??


  Simpler: just provide a NBSS preference to set the
  (??? "microsoft-ds) port (default of 445).

  (The IANA port assignment document assigns  port 445 (both TCP
  & UDP) to "Microsoft-DS").

Comments ??