Wireshark-users: Re: [Wireshark-users] Determining SMB client/server from traffic

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 29 Nov 2012 01:09:04 -0800
On Nov 28, 2012, at 5:46 PM, Rayne <hjazz6@xxxxxxxxx> wrote:

> I have a PCAP file that contains some SMB traffic showing the file transfer from one PC to another. I'm trying to determine which is the PC that initiates the file transfer. From Wireshark, I have the following packets.
> NT Create Andx Request, FID: 0x4007, Path: \abc.txt (1.1.1.1:49752 -> 2.2.2.2:445)
> NT Create Andx Response, FID: 0x4007 (2.2.2.2:445 -> 1.1.1.1:49752)
> ...
> Read Andx Request, FID: 0x4007, 32768 bytes at offset 0 (1.1.1.1:49752 -> 2.2.2.2:445)
> Read Andx Response, FID: 0x4007, 32768 bytes (2.2.2.2:445 -> 1.1.1.1:49752)
> ...
> I thought 1.1.1.1 was the one that started the file transfer to 2.2.2.2, since 1.1.1.1 is the one requesting and 2.2.2.2 is the one responding. But in the Read Andx Response packet, I see the contents of the file being transferred. That confused me because if those packets are carrying the file contents, doesn't that mean 2.2.2.2 is the one transferring the file to 1.1.1.1?

SMB is a file access protocol, not a file transfer protocol, so an SMB session shouldn't be assumed to transfer an entire file - an SMB client could open a file, write 743 bytes to an offset of 4307, read 117 bytes from an offset of 13, and close the file.  (The same applies to NFS, AFP, and NCP (Netware Core Protocol).)

It is, however, a client-server protocol, and the client initiates *all* operations (except for a few such as oplock breaks).  The client is 1.1.1.1, and it opens the file (NT Create Andx) and then reads data from it (Read Andx), so it is, in fact, the machine that starts the operations.  2.2.2.2 is the server, and it sends file data to 1.1.1.1 in response to a request.

So 1.1.1.1 starts the operations, plural (the open operation and the read operation, in your example), and 2.2.2.2 transfers the data in the response to the read request.

Even for a file transfer protocol - such as the File Transfer Protocol:

	http://tools.ietf.org/html/rfc959

the client starts the operation, regardless of, for example, whether the FTP operation is a GET operation in which the server sends the file data to the client or a PUT operation in which the client sends the file data to the server.