Wireshark mailing list archives
Re: "Visually" re-assemble packet
From: Guy Harris <guy () alum mit edu>
Date: Mon, 8 Dec 2014 17:53:00 -0800
On Dec 8, 2014, at 4:13 PM, Christopher Smith <Christopher.Smith () au gt com> wrote:
Honestly, was hoping to export “just” SMB to CSV so our Pivot Table guru can mash it up to their hearts content. If I filter only SMB, their run will not include all the traffic – just tail frames.
What is a "tail frame"?
If you filter only SMB, you will see all *SMB* traffic. If a given SMB packet is in multiple link-layer frames, only
the last frame will show up if you filter with "smb". Is that what you're talking about?
And "export to CSV" really means "export {particular set of items} to CSV"; what are the particular items you want to
export? Do you want one line of CSV for each SMB request or response? Are you *just* analyzing at the SMB layer, so
that you only want information about the SMB request or response, and don't care about the individual link-layer frames
that make it up? Or do you need to know the lower-level details about the TCP segments and IP datagrams (if
SMB-over-TCP or SMB-over-NetBIOS-over-TCP) and link-layer frames that contribute to each SMB request or response?
Note that a single TCP segment can contain *multiple* SMB requests or responses; this adds an additional layer of
complexity, and one that a filter of "smb" won't help - that's not reassembly, however, that's *dis*assembly. A true
"show me a view at the protocol XXX layer" would, for SMB, show a line in the summary for each SMB request or response,
even if that means two lines for a given link-layer frame or if it means one line for multiple link-layer frames or
*both* (consider a TCP segment that contains the first part of one request or response, followed by another segment
that contains the rest of that request or response and all or part of a *subsequent* request or response).
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- "Visually" re-assemble packet Christopher Smith (Dec 07)
- Re: "Visually" re-assemble packet Guy Harris (Dec 08)
- Re: "Visually" re-assemble packet Christopher Smith (Dec 08)
- Re: "Visually" re-assemble packet Guy Harris (Dec 08)
- Re: "Visually" re-assemble packet Christopher Smith (Dec 08)
- Re: "Visually" re-assemble packet Guy Harris (Dec 08)
- Re: "Visually" re-assemble packet Christopher Smith (Dec 08)
- Re: "Visually" re-assemble packet Guy Harris (Dec 08)
- Re: "Visually" re-assemble packet Christopher Smith (Dec 08)
- Re: "Visually" re-assemble packet Guy Harris (Dec 08)
- Re: "Visually" re-assemble packet Christopher Smith (Dec 08)
- Re: "Visually" re-assemble packet Guy Harris (Dec 08)
- Re: "Visually" re-assemble packet Christopher Smith (Dec 08)
- Re: "Visually" re-assemble packet Guy Harris (Dec 08)
- Re: "Visually" re-assemble packet Christopher Smith (Dec 08)
- Re: "Visually" re-assemble packet Guy Harris (Dec 08)