search

simsong / tcpflow

TCP/IP packet demultiplexer. Download from:
http://downloads.digitalcorpora.org/downloads/tcpflow/
GNU General Public License v3.0
1.68k stars 237 forks source link

Write SMB parser, test SMB parser, and integrate with tcpflow source code #207

Open chenchampion opened 5 years ago

chenchampion commented 5 years ago

Dear Sir,

I try to resassembly networking traffic data with TCPFLOW, the tool is prefect for HTTP/FTP/SMTP/POP3 etc. but when there are some SMB protocol data transferred, the tool always dump all data in one file. For example, I copy 10 files from shared folder, but I only get one file transferred from 445 port. then I analyze that file, I can get all 10 files data in it, but the file data is confusing with many smb data. could you give some advices how to fix this problems? thank you in advance.

simsong commented 5 years ago

Yes! Thanks for writing. You will need to write a SMB parser. When you have it finished, please submit it as a pull request. Thanks!

Current Location: Stockholm, SE

Upcoming travel and conference schedule:

July 14-20 (Sun-Sat) — PETS 2019 (Stockhom, SE) July 21 (Sun) - London July 22 (Mon) - Bletchley July 23 (Tue) - Cambridge July 24 (Wed) - Travel to Arlington, VA July 25 (Thu) - Travel to La Jolla, CA July 26 (Fri) - La Jolla, CA July 27 (Sat) - Travel to Arlington, VA July 28 (Sun) - Travel to Denver, CO July 28-Aug 1 (Sun-Thu) — Joint Statistical Meeting 2019 (Denver, CO) July 30 (Tue), 3pm - Talk at KP Sept. 19 (Thu) — HHS Conference (Bethesda, MD) Oct. 16 (Wed) — 25th Anniversary (don't forget) Oct. 26 (Fri) — Privacy workshop at Harvard Oct. 27-28 (Sat-Sun) — Brandeis Parent’s Weekend Nov 25-Dec 1 (Mon-Sun) — Family Thanksgiving in Barcelona, ES

On Jul 18, 2019, at 7:49 AM, chenchampion notifications@github.com wrote:

Dear Sir,

I try to resassembly networking traffic data with TCPFLOW, the tool is prefect for HTTP/FTP/SMTP/POP3 etc. but when there are some SMB protocol data transferred, the tool always dump all data in one file. For example, I copy 10 files from shared folder, but I only get one file transferred from 445 port. then I analyze that file, I can get all 10 files data in it, but the file data is confusing with many smb data. could you give some advices how to fix this problems? thank you in advance.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

chenchampion commented 5 years ago

thank you for your quick response. after search the source code, I just find http parser. where can I get the all parser? such as ftp/SMTP/POP3. could you give me some guide how to write a SMB parser.

simsong commented 5 years ago

Hi. Well, as you know, you don't need an FTP parser because FTP sends data over its own connection. We don't have SMTP or POP3 parsers, but there is a MIME parser, which finds MIME-encoded objects. For SMB, you'll need to write a protocol decoder and then tie it in to the be13_api plug-in API. You can find an overview of the protocol here: https://docs.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview . However, you will probably want to review the SAMBA source-code.

chenchampion commented 5 years ago

thank you, I will try to implement it. but I cannot promise when I can finish it.

simsong commented 5 years ago

This is a complex project.

Sent from my phone.

On Jul 18, 2019, at 11:43 AM, chenchampion notifications@github.com wrote:

thank you, I will try to implement it. but I cannot promise when I can finish it.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or mute the thread.