Determining SMB client/server from traffic

[Rayne <hjazz6 () ymail com>]

Hi,

I have a PCAP file that contains some SMB traffic showing the file transfer from one PC to another. I'm trying to 
determine which is 
the PC that initiates the file transfer. From Wireshark, I have the 
following packets.
NT Create Andx Request, FID: 0x4007, Path: \abc.txt (1.1.1.1:49752 -> 2.2.2.2:445)
NT Create Andx Response, FID: 0x4007 (2.2.2.2:445 -> 1.1.1.1:49752)
...
Read Andx Request, FID: 0x4007, 32768 bytes at offset 0 (1.1.1.1:49752 -> 2.2.2.2:445)
Read Andx Response, FID: 0x4007, 32768 bytes (2.2.2.2:445 -> 1.1.1.1:49752)
...

I thought 1.1.1.1 was the one that started the file transfer to 
2.2.2.2, since 1.1.1.1 is the one requesting and 2.2.2.2 is the one 
responding. But in the Read Andx Responsepacket, I see the contents of the file being transferred. That confused me 
because if 
those packets are carrying the file contents, doesn't that mean 2.2.2.2 
is the one transferring the file to 1.1.1.1?

Thank you.

Regards,
Rayne

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe