Wireshark: Export SMB Objects (by Joke Snelders)

Wireshark can export SMB objects.

 This feature is inplemented in Wireshark in version 1.6.0 and up
 
 
 You can download the latest stable release of Wireshark here.
 
 
 Download the sample file, export-objects-smb_01.pcap, here and continue reading to learn more about exporting smb objects.
 
 
 Note
 
 You can also export SMB objects during live capture.

 Reassemble TCP streams
 
 Open the file export-objects-smb_01.pcap.
 
 
 You cannot export SMB objects, if "Allow subdissector to reassemble TCP streams" is not selected.
 
 
 Here is a way to check this:
 
 • right-click Transmission Control Protocol in the Packet Details pane
 
 • go to Protocol Preferences
 
 • select "Allow subdissector to reassemble TCP streams"

 Export SMB objects
 
 To open the "Wireshark: SMB object list" go to:
 
 File | Export | Objects | SMB

 SMB object list
 
 This SMB object list shows the following information:
 
 Packet num
 
 The number of the packet in which the data was found.
 
 
 Hostname
 
 The name of the server and the path of the folder.
 
 
 Content Type
 
 This field shows the type of the file and how much of the file actually was captured. It also shows you if the file was captured in read or in write operations:
 
 mode R and/or W (Read and/or Write)
 
 
 Bytes
 
 The size of the object in bytes.
 
 
 Filename
 
 The name of the file.

 Note
 
 Use the display filter: smb.file_data and the packets, that contain the data are displayed: in this file the packets 36, 79, 139 and 186.
 
 
 Save files
 
 Select a file and hit the "Save As" button to save a single file.
 
 
 Hit the "Save All" button, if you want to save all files at once.
 
 
 Read more
 https://wiki.wireshark.org/SMB
 
 
 You can also watch Tony Fortunato's video .
 

Author Profile - My name is Joke (pronounced \yo-kə\ or Joan for those who do not speak Dutch). During the day, I work as a secretary for a non-profit organization providing assisted living for mentally handicapped people in the south of The Netherlands. In my spare time I like to use Wireshark. I find it interesting and necessary to monitor my home network to see what is going on. As a user I like to answer questions at the Wireshark Mailing List or Ask Wireshark.

What is in it for me? Well, I learn a great deal whenever I try to solve real-world problems. I am also a member of the NGN (the Dutch Network User's Group). I write articles about how to use Wireshark and the command line tools. And if there is still some spare time left, I like to go biking in the woods near my hometown with my husband and fellow geek.