Wireshark-users: [Wireshark-users] Understanding SMB flow in Wireshark
From: Rayne <hjazz6@xxxxxxxxx>
Date: Wed, 30 Jan 2013 02:11:55 -0800 (PST)
Hi all,

I have a pcap file that contains traffic from a SMB session. The traffic was recorded when I transferred a text file from a folder on PC A (IP 1.1.1.1) to a shared folder in PC B (IP 2.2.2.2).

The beginning of the file contains the handshake packets, as expected. In the middle, I see packets containing the content of the text file I transferred. The packets are as follows:

Packet 1677: 1.1.1.1:1205 -> 2.2.2.2:445  Close Request, FID: 0x400a
Packet 1678: 2.2.2.2:445 -> 1.1.1.1:1205  Close Response, FID: 0x400a
Packet 1679: 1.1.1.1:1205 -> 2.2.2.2:445  [Continuation to #1685] [TCP Previous segment not captured]
Packet 1680: 1.1.1.1:1205 -> 2.2.2.2:445  [Continuation to #1685]
Packet 1681: 1.1.1.1:1205 -> 2.2.2.2:445  [Continuation to #1685]
Packet 1682: 2.2.2.2:445 -> 1.1.1.1:1205  [TCP Dup ACK 1678#1]
Packet 1683: 2.2.2.2:445 -> 1.1.1.1:1205  [TCP Dup ACK 1678#2]
Packet 1684: 2.2.2.2:445 -> 1.1.1.1:1205  [TCP Dup ACK 1678#3]
Packet 1685: 1.1.1.1:1205 -> 2.2.2.2:445  [TCP Retransmission] Write Andx Request, FID: 0xc006, 61440 bytes at offset 0
Packet 1686: 2.2.2.2:445 -> 1.1.1.1:1205  [ACK]
Packet 1687: 1.1.1.1:1205 -> 2.2.2.2:445  [Continuation to #1685]
Packet 1688: 1.1.1.1:1205 -> 2.2.2.2:445  [Continuation to #1685]
Packet 1689: 2.2.2.2:445 -> 1.1.1.1:1205  [ACK]
...

I see the contents of the file immediately after the TCP header in Packets 1679-1681, and 1687-1688.

In Packet 1685, Wireshark says there's "NetBIOS Session Service" and "SMB (Server Message Block Protocol)" after the TCP header. There are indeed some SMB header bytes and Write Andx data before the text file contents. Also, under "File Data" in the "Write Andx Request", it says "Incomplete. Only 1342 of 61440 bytes".

My question is what does the [Continuation to #1685] and [TCP Previous segment not captured] mean? It doesn't really make sense to me chronologically how the file is transferred, because I see earlier packets (those before 1685) referring to a later packet (1685). Does Packet 1685 indicate the start of the transfer for the block of 61440 bytes? If so, did 2.2.2.2 not receive the packet, hence the TCP retransmission? Then do Packet 1678-1681 still count, or would 2.2.2.2 discard them?

Thank you.