Hello All, I need to understand the SMB Write AndX Request order Please correct me if i am wrong with process as follows: Thanks asked 14 Feb '12, 06:07  tbaror edited 14 Feb '12, 06:51  grahamb ♦ |
2 Answers:
I think you wonder why you see lots of packets (named "reassembled PDU") before the "Write AndX Response"? That is a result of your Wireshark having the setting "Allow subdisectors to reassemble TCP streams" enabled, which is the default. It basically means that Wireshark will first gather ALL packets that are part of the response before announcing it (in the last packet). Try turning it of (Preferences -> Protocols -> TCP), and you'll see the "true" order of packets, but it will not reassemble their payload anymore (which is usually only bad if you need to reconstruct the contents that were transfered, see the Export -> Objects -> SMB menu option - it will not work as well if reassembly is turned off) answered 14 Feb '12, 08:03  Jasper ♦♦ |
I'd actually expect to see several "[TCP segment of a reassembled PDU]" packets before a Write AndX request. A Write AndX request would contain the data to be written to the file, and it might not all fit in a single TCP segment, so I'd expect to see the earlier segments and then see the last segment marked as the request. A Write AndX response should just contain information such as a success-or-failure indication and should fit in one TCP segment, although it could conceivably be split between TCP segments. answered 14 Feb '12, 14:54  Guy Harris ♦♦ |
