Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Determining SMB client/server from traffic

From: MP <addax.ws () gmail com>
Date: Wed, 28 Nov 2012 18:16:32 -0800
Hi,

Based on information in your email.
1.1.1.1 is a SMB client.
2.2.2.2 is a SMB server.

Client requests file open \abc.txt
Server confirms that file exists and available for this user.
Then Client requests 32768 bytes of file content from the start of the file.
Server responds with file contents.

For future, look to the port to determine where the server is. Server
listening and responding on port 445 for SMB. Client will have random port.

Regards,
Max


On Wed, Nov 28, 2012 at 5:46 PM, Rayne <hjazz6 () ymail com> wrote:


Hi,

I have a PCAP file that contains some SMB traffic showing the file
transfer from one PC to another. I'm trying to determine which is the PC
that initiates the file transfer. From Wireshark, I have the following
packets.

NT Create Andx Request, FID: 0x4007, Path: \abc.txt (1.1.1.1:49752 -> 2.2.2.2:445)
NT Create Andx Response, FID: 0x4007 (2.2.2.2:445 -> 1.1.1.1:49752)
...
Read Andx Request, FID: 0x4007, 32768 bytes at offset 0 (1.1.1.1:49752 -> 2.2.2.2:445)
Read Andx Response, FID: 0x4007, 32768 bytes (2.2.2.2:445 -> 1.1.1.1:49752)
...

I thought 1.1.1.1 was the one that started the file transfer to 2.2.2.2,
since 1.1.1.1 is the one requesting and 2.2.2.2 is the one responding. But
in the Read Andx Response packet, I see the contents of the file being
transferred. That confused me because if those packets are carrying the
file contents, doesn't that mean 2.2.2.2 is the one transferring the file
to 1.1.1.1?

Thank you.

Regards,
Rayne

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: