Patching tcpdump-smb to deal with hyperlong packet reports

[Stanley.Hopcroft at ipaustralia.gov.au]

Dear Ladies and Gentlemen,

I am writing about to say that tcpdump-smb on our multi protocol
network (IP, NetBEUI, and SNA) occasionally reports hyperlong packets
that look to contain the data of other packets (see previous posting
about this).

When Mr Tridgells patches are applied to the latest tcpdump (3.4a6,
the one on ftp.ee.lbl.gov) the results are the same.

The one reply to my letter about this problem (from Mr Borsenkow in
Denmark) suggested that this was a known problem with tcpdump-smb.

A dumb hack to stop these reports is

in the function nbt_tcp_print in print-smb.c (with this extract from
the patch file tcpdump-3.2.1-smb-diffs)

+  case 0:
+    data = fdata(data,"NBT Session
Packet\nFlags=[rw]\nLength=[rd]\n",data+4);
+    if (memcmp(data,"\377SMB",4)==0) {
+      if (nbt_len>PTR_DIFF(maxbuf,data))
+       printf("WARNING: Short packet. Try increasing the snap length
(%d)\n",
+              PTR_DIFF(maxbuf,data));
+      print_smb(data,maxbuf>data+nbt_len?data+nbt_len:maxbuf);
+    } else {
+      printf("Session packet:(raw data?)\n");
+    }
+    break;
+

to replace

      print_smb(data,maxbuf>data+nbt_len?data+nbt_len:maxbuf);

with

      print_smb(data,data+nbt_len);

The complete set of patches to apply Mr Tridgells marvellous work to
tcpdump-3.4a6 can be had by asking (the changes are to Makefile.in and
the line above).

Thank you,

Yours sincerely

S Hopcroft

shopcroft at IPAustralia (better known as the Patents Office)

IP Australia.