Wireshark-dev: Re: [Wireshark-dev] Wireshark and tshark show different data for the smb.file fi
From: Evan Huus <[email protected]>
Date: Wed, 12 Jun 2013 16:09:56 -0400
If wireshark is 1.8 and tshark is 1.10 then all bets are off. I don't
have anything exhibiting this, but my bet is that Wireshark 1.10 has
the same problematic behaviour.

Evan

On Wed, Jun 12, 2013 at 4:04 PM, Richard Sharpe
<[email protected]> wrote:
> Hi folks,
>
> I have a capture file with some weird file names in SMB requests.
> Wireshark shows them as this:
>
> \\somewhere\\eng\\Project\\HZX - City of
> SomePlace\\xxxxyyyyzzz\\Planning-study\\Reports\\UNC\\somecmpy.com\\csfile\\eng\\Project\\HZX
> - City of SomePlace\\xxxxyyyyzzz
>
> This appears to be correct because I see that same data in the data pane.
>
> However, tshark shows this:
>
> \\somewhere\\eng\\Project\\HZX - City of
> SomePlace\\xxxxyyyyzzz\\Planning-study\\Reports\\UNC
>
> Now, there are longer file paths that tshark shows, so it is not
> truncating. it seems to object to the component after the UNC string
> and stops there.
>
> Has anyone seen this?
>
> Wireshark version 1.8.6. tshark version 1.10.0 (Copyright 1998-2013)
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <[email protected]>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:[email protected]?subject=unsubscribe