Tip from Laura: SMB2 Vulnerability Wireshark Filter

The big tech news this morning was a recently-discovered SMB2 vulnerability in Windows Vista, 2008, and 7. Laura Chappell created a Wireshark display filter for identifying offending traffic:

((smb.cmd == 0x72) && (smb.flags.response == 0)) && !(smb.pid.high == 0)

See the full report on her site for more information.

1 thought on “Tip from Laura: SMB2 Vulnerability Wireshark Filter

  1. Jay

    Hi,
    I am doing some Software Performance Test(thru network environment) and Im using Wireshark to analyze it.
    My Capture filter is ether host xx:xx:xx and Display filter is smb2.
    What is the filter syntax should I use to remove the packet using GUID handle file:xxx under smb2 protocol.
    Please help.

Comments are closed.