On Dec 8, 2014, at 4:13 PM, Christopher Smith <Christopher.Smith@xxxxxxxxx> wrote:
> Honestly, was hoping to export “just” SMB to CSV so our Pivot Table guru can mash it up to their hearts content.
> If I filter only SMB, their run will not include all the traffic – just tail frames.
What is a "tail frame"?
If you filter only SMB, you will see all *SMB* traffic. If a given SMB packet is in multiple link-layer frames, only the last frame will show up if you filter with "smb". Is that what you're talking about?
And "export to CSV" really means "export {particular set of items} to CSV"; what are the particular items you want to export? Do you want one line of CSV for each SMB request or response? Are you *just* analyzing at the SMB layer, so that you only want information about the SMB request or response, and don't care about the individual link-layer frames that make it up? Or do you need to know the lower-level details about the TCP segments and IP datagrams (if SMB-over-TCP or SMB-over-NetBIOS-over-TCP) and link-layer frames that contribute to each SMB request or response?
Note that a single TCP segment can contain *multiple* SMB requests or responses; this adds an additional layer of complexity, and one that a filter of "smb" won't help - that's not reassembly, however, that's *dis*assembly. A true "show me a view at the protocol XXX layer" would, for SMB, show a line in the summary for each SMB request or response, even if that means two lines for a given link-layer frame or if it means one line for multiple link-layer frames or *both* (consider a TCP segment that contains the first part of one request or response, followed by another segment that contains the rest of that request or response and all or part of a *subsequent* request or response).