Wireshark-users: Re: [Wireshark-users] "Visually" re-assemble packet
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 8 Dec 2014 17:53:00 -0800
On Dec 8, 2014, at 4:13 PM, Christopher Smith <Christopher.Smith@xxxxxxxxx> wrote:

> Honestly, was hoping to export “just” SMB to CSV so our Pivot Table guru can mash it up to their hearts content.
> If I filter only SMB, their run will not include all the traffic – just tail frames.

What is a "tail frame"?

If you filter only SMB, you will see all *SMB* traffic.  If a given SMB packet is in multiple link-layer frames, only the last frame will show up if you filter with "smb".  Is that what you're talking about?

And "export to CSV" really means "export {particular set of items} to CSV"; what are the particular items you want to export?  Do you want one line of CSV for each SMB request or response?  Are you *just* analyzing at the SMB layer, so that you only want information about the SMB request or response, and don't care about the individual link-layer frames that make it up?  Or do you need to know the lower-level details about the TCP segments and IP datagrams (if SMB-over-TCP or SMB-over-NetBIOS-over-TCP) and link-layer frames that contribute to each SMB request or response?

Note that a single TCP segment can contain *multiple* SMB requests or responses; this adds an additional layer of complexity, and one that a filter of "smb" won't help - that's not reassembly, however, that's *dis*assembly.  A true "show me a view at the protocol XXX layer" would, for SMB, show a line in the summary for each SMB request or response, even if that means two lines for a given link-layer frame or if it means one line for multiple link-layer frames or *both* (consider a TCP segment that contains the first part of one request or response, followed by another segment that contains the rest of that request or response and all or part of a *subsequent* request or response).