Wireshark mailing list archives

Re: Determining SMB client/server from traffic

From: Erik Hjelmvik <erik.hjelmvik () gmail com>
Date: Thu, 29 Nov 2012 08:38:05 +0100

Rayne, You are correct in your reasoning.

What happens is that 1.1.1.1 does a download request (Read Andx
Request) for "abc.txt" (File ID 0x4007), the server at 2.2.2.2 then
sends the requested file back to 2.2.2.2.

What you can do is to get a better view of what is happening in the
SMB transfer is to load the pcap file into NetworkMiner:
http://www.netresec.com/?page=NetworkMiner

/erik

2012/11/29 Rayne <hjazz6 () ymail com>:

Hi,

I have a PCAP file that contains some SMB traffic showing the file transfer
from one PC to another. I'm trying to determine which is the PC that
initiates the file transfer. From Wireshark, I have the following packets.

NT Create Andx Request, FID: 0x4007, Path: \abc.txt (1.1.1.1:49752 ->
2.2.2.2:445)
NT Create Andx Response, FID: 0x4007 (2.2.2.2:445 -> 1.1.1.1:49752)
...
Read Andx Request, FID: 0x4007, 32768 bytes at offset 0 (1.1.1.1:49752 ->
2.2.2.2:445)
Read Andx Response, FID: 0x4007, 32768 bytes (2.2.2.2:445 -> 1.1.1.1:49752)
...

I thought 1.1.1.1 was the one that started the file transfer to 2.2.2.2,
since 1.1.1.1 is the one requesting and 2.2.2.2 is the one responding. But
in the Read Andx Response packet, I see the contents of the file being
transferred. That confused me because if those packets are carrying the file
contents, doesn't that mean 2.2.2.2 is the one transferring the file to
1.1.1.1?

Thank you.

Regards,
Rayne

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe




-- 
blog: http://www.netresec.com/?page=Blog
twitter: http://twitter.com/netresec
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Determining SMB client/server from traffic Rayne (Nov 28)
- Re: Determining SMB client/server from traffic MP (Nov 28)
- Re: Determining SMB client/server from traffic Erik Hjelmvik (Nov 28)
- Re: Determining SMB client/server from traffic Guy Harris (Nov 29)