2 files changed, 14 insertions, 0 deletions

diff --git a/test/captures/smb311-aes-128-gcm.pcap.gz b/test/captures/smb311-aes-128-gcm.pcap.gz
new file mode 100644
index 0000000000..02e34a90da
--- /dev/null
+++ b/test/captures/smb311-aes-128-gcm.pcap.gz
diff --git a/test/suite_decryption.py b/test/suite_decryption.py
index 06cca6367e..568e095a43 100644
--- a/test/suite_decryption.py
+++ b/test/suite_decryption.py
@@ -1107,3 +1107,17 @@ class case_decrypt_smb2(subprocesstest.SubprocessTestCase):
                 '-Y', 'smb2.tree == "{}"'.format(tree.replace('\\', '\\\\')),
         ))
         self.assertEqual(tree, proc.stdout_str.strip())
+
+    def test_smb311_aes128gcm(self, cmd_tshark, capture_file):
+        '''Check SMB 3.1.1 AES128GCM decryption.'''
+        sesid = '3900000000400000'
+        seskey = 'e79161ded03bda1449b2c8e58f753953'
+        tree = r'\\dfsroot1.foo.test\IPC$'
+        proc = self.assertRun((cmd_tshark,
+                '-r', capture_file('smb311-aes-128-gcm.pcap.gz'),
+                '-o', 'uat:smb2_seskey_list:{},{}'.format(sesid, seskey),
+                '-Tfields',
+                '-e', 'smb2.tree',
+                '-Y', 'smb2.tree == "{}"'.format(tree.replace('\\', '\\\\')),
+        ))
+        self.assertEqual(tree, proc.stdout_str.strip())