How to decrypt SMB3 traffic

Lilia 1 Reputation point
2023-05-17T12:34:41.5466667+00:00

The method of using

netsh trace start provider=Microsoft-Windows-SMBClient

saving as pcap in NetMon doesn't produce decrypted traffic.

Described at Plugfest https://www.youtube.com/watch?v=aGG7cpLxdfQ

Windows development | Windows Open Specifications
{count} votes

2 answers

Sort by: Most helpful
  1. Gary Nebbett 6,216 Reputation points
    2023-05-17T13:08:03.2166667+00:00

    Hello Lilia,

    You need to use Message Analyzer to view the decrypted traffic; NetMon does not know how to interpret the ETW events containing the decrypted data. Among other things, the data in the ETW trace file is just the SMB data without any TCP/IP headers.

    It is possible to write a tool to extract the plaintext SMB data from an ETW trace and save it in a pcap/pcapng format (with faked TCP/IP headers); this allows Wireshark to be used to analyze the packets.

    Gary


  2. Obaid Farooqi MSFT 751 Reputation points Microsoft Employee Moderator
    2023-05-20T02:51:46.21+00:00

    This issue is now resolved. The poster was provided with the latest copy of Message Analyzer.

    For the latest copy of Message Analyzer, please send an email to dochelp at Microsoft dot com.

    Regards,

    Obaid Farooqi - MSFT

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.