'Re: [Wireshark-users] Determining SMB client/server from traffic'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-users
Subject:    Re: [Wireshark-users] Determining SMB client/server from traffic
From:       Guy Harris <guy () alum ! mit ! edu>
Date:       2012-11-29 9:09:04
Message-ID: 490D07C1-3E93-44A3-B945-1AB4786A6246 () alum ! mit ! edu
[Download RAW message or body]


On Nov 28, 2012, at 5:46 PM, Rayne <hjazz6@ymail.com> wrote:

> I have a PCAP file that contains some SMB traffic showing the file transfer from \
> one PC to another. I'm trying to determine which is the PC that initiates the file \
> transfer. From Wireshark, I have the following packets. NT Create Andx Request, \
> FID: 0x4007, Path: \abc.txt (1.1.1.1:49752 -> 2.2.2.2:445) NT Create Andx Response, \
>                 FID: 0x4007 (2.2.2.2:445 -> 1.1.1.1:49752)
> ...
> Read Andx Request, FID: 0x4007, 32768 bytes at offset 0 (1.1.1.1:49752 -> \
> 2.2.2.2:445) Read Andx Response, FID: 0x4007, 32768 bytes (2.2.2.2:445 -> \
>                 1.1.1.1:49752)
> ...
> I thought 1.1.1.1 was the one that started the file transfer to 2.2.2.2, since \
> 1.1.1.1 is the one requesting and 2.2.2.2 is the one responding. But in the Read \
> Andx Response packet, I see the contents of the file being transferred. That \
> confused me because if those packets are carrying the file contents, doesn't that \
> mean 2.2.2.2 is the one transferring the file to 1.1.1.1?

SMB is a file access protocol, not a file transfer protocol, so an SMB session \
shouldn't be assumed to transfer an entire file - an SMB client could open a file, \
write 743 bytes to an offset of 4307, read 117 bytes from an offset of 13, and close \
the file.  (The same applies to NFS, AFP, and NCP (Netware Core Protocol).)

It is, however, a client-server protocol, and the client initiates *all* operations \
(except for a few such as oplock breaks).  The client is 1.1.1.1, and it opens the \
file (NT Create Andx) and then reads data from it (Read Andx), so it is, in fact, the \
machine that starts the operations.  2.2.2.2 is the server, and it sends file data to \
1.1.1.1 in response to a request.

So 1.1.1.1 starts the operations, plural (the open operation and the read operation, \
in your example), and 2.2.2.2 transfers the data in the response to the read request.

Even for a file transfer protocol - such as the File Transfer Protocol:

	http://tools.ietf.org/html/rfc959

the client starts the operation, regardless of, for example, whether the FTP \
operation is a GET operation in which the server sends the file data to the client or \
a PUT operation in which the client sends the file data to the server. \
___________________________________________________________________________ Sent via: \
                Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic