I've found the same issue in my testing of the free version. I suspect that it's looking at port 139 rather than 445? It only seems to catch files transferred via workgroups, not domains, that's why I suspect this is so.
-rich
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The next release (1.1) of NetworkMiner will contain fixes for the SMB parser that most likely will solve the problems you are encountering. However, please let me know if you are encountering the same problems with NetworkMiner 1.1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
i have problems in detecting smb file transfers larger than 1 megabytes in size in networkminer 1.6.1. i sent some sample pcap files to your email erik (info@netresec)
whould you please check it and answer me.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks Mori, you're capturing network traffic with NetworkMiner's live capture feature. This is not a 100% reliable method for sniffing. The few packets missed while doing live captures with NetworkMiner is what is preventing you from reassembling large files sent over the network.
Please sniff with something like dumpcap for better reliability, and then load the generated PCAP files with NetworkMiner. More information on how to best sniff network traffic is available here:
Hello, there,
It appears that NM1.0 skips a fair amount of SMB files. For some SMB shares - almost all of them.
I've found the same issue in my testing of the free version. I suspect that it's looking at port 139 rather than 445? It only seems to catch files transferred via workgroups, not domains, that's why I suspect this is so.
-rich
The next release (1.1) of NetworkMiner will contain fixes for the SMB parser that most likely will solve the problems you are encountering. However, please let me know if you are encountering the same problems with NetworkMiner 1.1
i have problems in detecting smb file transfers larger than 1 megabytes in size in networkminer 1.6.1. i sent some sample pcap files to your email erik (info@netresec)
whould you please check it and answer me.
Thanks Mori, you're capturing network traffic with NetworkMiner's live capture feature. This is not a 100% reliable method for sniffing. The few packets missed while doing live captures with NetworkMiner is what is preventing you from reassembling large files sent over the network.
Please sniff with something like dumpcap for better reliability, and then load the generated PCAP files with NetworkMiner. More information on how to best sniff network traffic is available here:
http://netresec.com/?b=1135E10