Wireshark-users: Re: [Wireshark-users] Determining SMB client/server from traffic
Rayne, You are correct in your reasoning.
What happens is that 1.1.1.1 does a download request (Read Andx
Request) for "abc.txt" (File ID 0x4007), the server at 2.2.2.2 then
sends the requested file back to 2.2.2.2.
What you can do is to get a better view of what is happening in the
SMB transfer is to load the pcap file into NetworkMiner:
http://www.netresec.com/?page=NetworkMiner
/erik
2012/11/29 Rayne <hjazz6@xxxxxxxxx>:
> Hi,
>
> I have a PCAP file that contains some SMB traffic showing the file transfer
> from one PC to another. I'm trying to determine which is the PC that
> initiates the file transfer. From Wireshark, I have the following packets.
>
> NT Create Andx Request, FID: 0x4007, Path: \abc.txt (1.1.1.1:49752 ->
> 2.2.2.2:445)
> NT Create Andx Response, FID: 0x4007 (2.2.2.2:445 -> 1.1.1.1:49752)
> ...
> Read Andx Request, FID: 0x4007, 32768 bytes at offset 0 (1.1.1.1:49752 ->
> 2.2.2.2:445)
> Read Andx Response, FID: 0x4007, 32768 bytes (2.2.2.2:445 -> 1.1.1.1:49752)
> ...
>
> I thought 1.1.1.1 was the one that started the file transfer to 2.2.2.2,
> since 1.1.1.1 is the one requesting and 2.2.2.2 is the one responding. But
> in the Read Andx Response packet, I see the contents of the file being
> transferred. That confused me because if those packets are carrying the file
> contents, doesn't that mean 2.2.2.2 is the one transferring the file to
> 1.1.1.1?
>
> Thank you.
>
> Regards,
> Rayne
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
--
blog: http://www.netresec.com/?page=Blog
twitter: http://twitter.com/netresec