Wireshark-users: Re: [Wireshark-users] Understanding SMB flow in Wireshark

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 30 Jan 2013 11:32:05 +0100
Hi,

OK, the order of packets is a bit off, which makes it harder to analyze. But if you picture packet 1685 between packet 1678 and 1679 it will all make sense. Since the initial part of the "Write Andx Request" was not seen, the TCP layer on 2.2.2.2 tells 1.1.1.1 that it did not receive part of the communication (the DUP ack's in 1682,1683 and 1684). When it does receive that packet, it can then send the data in the correct order and without gaps to the SMB layer. So SMB never sees the strange order of packets, it just sess the data as it expects it.

Cheers,
Sake


On 30 jan 2013, at 11:11, Rayne wrote:

Hi all,

I have a pcap file that contains traffic from a SMB session. The traffic was recorded when I transferred a text file from a folder on PC A (IP 1.1.1.1) to a shared folder in PC B (IP 2.2.2.2).

The beginning of the file contains the handshake packets, as expected. In the middle, I see packets containing the content of the text file I transferred. The packets are as follows:

Packet 1677: 1.1.1.1:1205 -> 2.2.2.2:445  Close Request, FID: 0x400a
Packet 1678: 2.2.2.2:445 -> 1.1.1.1:1205  Close Response, FID: 0x400a
Packet 1679: 1.1.1.1:1205 -> 2.2.2.2:445  [Continuation to #1685] [TCP Previous segment not captured]
Packet 1680: 1.1.1.1:1205 -> 2.2.2.2:445  [Continuation to #1685]
Packet 1681: 1.1.1.1:1205 -> 2.2.2.2:445  [Continuation to #1685]
Packet 1682: 2.2.2.2:445 -> 1.1.1.1:1205  [TCP Dup ACK 1678#1]
Packet 1683: 2.2.2.2:445 -> 1.1.1.1:1205  [TCP Dup ACK 1678#2]
Packet 1684: 2.2.2.2:445 -> 1.1.1.1:1205  [TCP Dup ACK 1678#3]
Packet 1685: 1.1.1.1:1205 -> 2.2.2.2:445  [TCP Retransmission] Write Andx Request, FID: 0xc006, 61440 bytes at offset 0
Packet 1686: 2.2.2.2:445 -> 1.1.1.1:1205  [ACK]
Packet 1687: 1.1.1.1:1205 -> 2.2.2.2:445  [Continuation to #1685]
Packet 1688: 1.1.1.1:1205 -> 2.2.2.2:445  [Continuation to #1685]
Packet 1689: 2.2.2.2:445 -> 1.1.1.1:1205  [ACK]
...

I see the contents of the file immediately after the TCP header in Packets 1679-1681, and 1687-1688.

In Packet 1685, Wireshark says there's "NetBIOS Session Service" and "SMB (Server Message Block Protocol)" after the TCP header. There are indeed some SMB header bytes and Write Andx data before the text file contents. Also, under "File Data" in the "Write Andx Request", it says "Incomplete. Only 1342 of 61440 bytes".

My question is what does the [Continuation to #1685] and [TCP Previous segment not captured] mean? It doesn't really make sense to me chronologically how the file is transferred, because I see earlier packets (those before 1685) referring to a later packet (1685). Does Packet 1685 indicate the start of the transfer for the block of 61440 bytes? If so, did 2.2.2.2 not receive the packet, hence the TCP retransmission? Then do Packet 1678-1681 still count, or would 2.2.2.2 discard them?

Thank you.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe