SMB: add (partial) support for messages split into multiple TCP segments (#1644)

2026-05-06 03:45:32 +00:00 · 2022-07-07 19:24:31 +02:00 · 2022-07-07 19:24:31 +02:00 · f8076e3a58
commit f8076e3a58
parent ff4e010501
9 changed files with 36 additions and 20 deletions
--- a/tests/pcap/smb_frags.pcap
+++ b/tests/pcap/smb_frags.pcap
--- a/tests/result/android.pcap.out
+++ b/tests/result/android.pcap.out
@ -1,6 +1,6 @@
 Guessed flow protos:	7

-DPI Packets (TCP):	157	(5.61 pkts/flow)
+DPI Packets (TCP):	147	(5.25 pkts/flow)
 DPI Packets (UDP):	52	(1.68 pkts/flow)
 DPI Packets (other):	4	(1.00 pkts/flow)
 Confidence Match by IP      : 3 (flows)
--- a/tests/result/fuzz-2021-10-13.pcap.out
+++ b/tests/result/fuzz-2021-10-13.pcap.out
@ -1,4 +1,4 @@
-Guessed flow protos:	0
+Guessed flow protos:	1

 DPI Packets (TCP):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
--- a/tests/result/skype_no_unknown.pcap.out
+++ b/tests/result/skype_no_unknown.pcap.out
@ -1,6 +1,6 @@
 Guessed flow protos:	72

-DPI Packets (TCP):	1168	(15.37 pkts/flow)
+DPI Packets (TCP):	1159	(15.25 pkts/flow)
 DPI Packets (UDP):	288	(1.55 pkts/flow)
 DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 45 (flows)
--- a/tests/result/smb_frags.pcap.out
+++ b/tests/result/smb_frags.pcap.out
@ -0,0 +1,8 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	5	(5.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+
+SMBv1	8	2763	1
+
+	1	TCP 10.202.211.125:54120 <-> 10.202.7.8:445 [VLAN: 1608][proto: 10.16/NetBIOS.SMBv1][ClearText][Confidence: DPI][cat: System/18][5 pkts/2009 bytes <-> 3 pkts/754 bytes][Goodput ratio: 82/71][0.58 sec][bytes ratio: 0.454 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/94 144/238 387/383 145/144][Pkt Len c2s/s2c min/avg/max/stddev: 70/78 402/251 1438/397 525/132][Risk: ** Known Proto on Non Std Port **** SMB Insecure Vers **** Unsafe Protocol **][Risk Score: 160][Risk Info: Found SMBv1 / Expected on port 139][PLAIN TEXT (defined.12)][Plen Bins: 0,20,0,0,0,0,20,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0]
--- a/tests/result/teams.pcap.out
+++ b/tests/result/teams.pcap.out
@ -1,6 +1,6 @@
 Guessed flow protos:	4

-DPI Packets (TCP):	494	(11.76 pkts/flow)
+DPI Packets (TCP):	356	(8.48 pkts/flow)
 DPI Packets (UDP):	87	(2.17 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
--- a/tests/result/tls_invalid_reads.pcap.out
+++ b/tests/result/tls_invalid_reads.pcap.out
@ -1,6 +1,6 @@
-Guessed flow protos:	3
+Guessed flow protos:	2

-DPI Packets (TCP):	11	(3.67 pkts/flow)
+DPI Packets (TCP):	10	(3.33 pkts/flow)
 Confidence Match by IP      : 1 (flows)
 Confidence DPI              : 2 (flows)

--- a/tests/result/viber.pcap.out
+++ b/tests/result/viber.pcap.out
@ -1,6 +1,6 @@
 Guessed flow protos:	5

-DPI Packets (TCP):	151	(11.62 pkts/flow)
+DPI Packets (TCP):	131	(10.08 pkts/flow)
 DPI Packets (UDP):	27	(1.93 pkts/flow)
 DPI Packets (other):	2	(1.00 pkts/flow)
 Confidence Match by IP      : 4 (flows)