Wireshark-dev: Re: [Wireshark-dev] smb2.msg_id defined as signed 64-bit integer - bug?
From: Graham Bloice <[email protected]>
Date: Sat, 17 Sep 2016 16:38:29 +0100

On 17 September 2016 at 15:12, Paul Offord <[email protected]> wrote:

In packet-smb2.h and packet-smb2.c the SMB2 MessageId is defined as a signed 64-bit integer.




typedef struct _smb2_info_t {

               guint16 opcode;

               guint32 ioctl_function;

               guint32 status;

               guint32 tid;

               guint64 sesid;

               gint64  msg_id;

               guint32 flags;

               smb2_eo_file_info_t       *eo_file_info; /* eo_smb extra info */

               smb2_conv_info_t           *conv;

               smb2_saved_info_t         *saved;

               smb2_tid_info_t                              *tree;

               smb2_sesid_info_t           *session;

               smb2_fid_info_t                              *file;

               proto_tree *top_tree;

} smb2_info_t;




                              { &hf_smb2_msg_id,

                                             { "Message ID", "smb2.msg_id", FT_INT64, BASE_DEC,

                                             NULL, 0, "SMB2 Message ID", HFILL }




I believe MessageId should be an unsigned 64-bit integer.  Although the [MS-SMB2] document isn’t specific, Microsoft Message Analyzer defines the field as UInt64.


It’s not a big deal but it does mean that filtering for a range of MessageIds won’t work as expected for very large values.


Is it OK for me to report this as a bug through Bugzilla?


Sure, or submit a change directly.

Graham Bloice