Wireshark-dev: [Wireshark-dev] Wireshark and tshark show different data for the smb.file field
From: Richard Sharpe <[email protected]>
Date: Wed, 12 Jun 2013 13:04:28 -0700
Hi folks,

I have a capture file with some weird file names in SMB requests.
Wireshark shows them as this:

\\somewhere\\eng\\Project\\HZX - City of
SomePlace\\xxxxyyyyzzz\\Planning-study\\Reports\\UNC\\somecmpy.com\\csfile\\eng\\Project\\HZX
- City of SomePlace\\xxxxyyyyzzz

This appears to be correct because I see that same data in the data pane.

However, tshark shows this:

\\somewhere\\eng\\Project\\HZX - City of
SomePlace\\xxxxyyyyzzz\\Planning-study\\Reports\\UNC

Now, there are longer file paths that tshark shows, so it is not
truncating. it seems to object to the component after the UNC string
and stops there.

Has anyone seen this?

Wireshark version 1.8.6. tshark version 1.10.0 (Copyright 1998-2013)

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)