Sorry for my sorry terminology, responding …
On Dec 8, 2014, at 4:13 PM, Christopher Smith <Christopher.Smith@xxxxxxxxx> wrote:
> Honestly, was hoping to export “just” SMB to CSV so our Pivot Table guru can mash it up to their hearts content.
> If I filter only SMB, their run will not include all the traffic – just tail frames.
What is a "tail frame"?
If you filter only SMB, you will see all *SMB* traffic. If a given SMB packet is in multiple link-layer frames, only the last frame will show up if you filter with "smb". Is that what you're talking about?
Yes
And "export to CSV" really means "export {particular set of items} to CSV"; what are the particular items you want to export? Do you want one line of CSV for each SMB request or response? Are you *just* analyzing at the SMB layer, so that you only want information
about the SMB request or response, and don't care about the individual link-layer frames that make it up? Or do you need to know the lower-level details about the TCP segments and IP datagrams (if SMB-over-TCP or SMB-over-NetBIOS-over-TCP) and link-layer frames
that contribute to each SMB request or response?
Note that a single TCP segment can contain *multiple* SMB requests or responses; this adds an additional layer of complexity, and one that a filter of "smb" won't help - that's not reassembly, however, that's *dis*assembly. A true "show me a view at the protocol
XXX layer" would, for SMB, show a line in the summary for each SMB request or response, even if that means two lines for a given link-layer frame or if it means one line for multiple link-layer frames or *both* (consider a TCP segment that contains the first
part of one request or response, followed by another segment that contains the rest of that request or response and all or part of a *subsequent* request or response).
We’re getting there
J I would expect the complexity you have described (2 for 1, 1 for multi, or both) and would be grateful to see that, as a massaged
trace. I think in the end game, it would be some sort of Export feature that combines/amalgamates/merges frames into packets, packets into segments, then segements into protocol – and then dump that into another trace. I would imagine – if I’m the only one
asking this specifically – that this ultimately won’t happen!
I won’t keep you – I have been grateful for your expertise, seriously! FWIW, I have found today TCP StreamGraph
à Throughput Graph – which I believe would be the ultimate end of the Pivot guru’s first analysis, and so distributing.
Thanks again!
Regards,
Christopher
'Grant Thornton' refers to the brand under which the Grant Thornton member
firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton Australia Ltd is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are
not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate one another and are not
liable for one another’s acts or omissions. In the Australian context only, the use of the term 'Grant Thornton' may refer to Grant Thornton Australia Limited ABN 41 127 556 389 and its Australian subsidiaries and related entities. GTIL is not an Australian
related entity to Grant Thornton Australia Limited.
Liability limited by a scheme approved under Professional Standards Legislation.
Liability is limited in those States where a current scheme applies.
Registered Office, Level 30, 525 Collins Street, Melbourne VIC 3000
DISCLAIMER
This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email,
any use, copying or disclosure of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email immediately. Any confidentiality, privilege or copyright is not waived or lost because this email
has been sent to you in error. Views expressed in this message are the views of the sender and are not necessarily views of Grant Thornton, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice
only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus‐free.
Grant Thornton accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient.
|
