i was doing some tests and came across something that i don't understand. I was capturing a file download from a FTP Server. When I look on the very last packet from the sender it matches the size of the downloaded file - 2 bytes (for SYN / FIN packets). The same file i was uploading on a SMB share but this time the very last packet of the sender has a higher sequence number value than the file size itself ??? Relative Seq Number are enabled, it might be something simple but I'm puzzled ...
any ideas please ?
asked 14 Nov '15, 14:40
That's because the FTP transfer you looked at was a raw data transfer, meaning that it only transported the file content (the rest, like the get/put commands, is happening in a second session). SMB has additional protocol headers that are transported over TCP, and transfers the files in chunks (usually 64k). Look at your SMB packets and you'll see the headers - this is what takes additional bytes away from your sequence number calculation.
answered 14 Nov '15, 16:50
edited 14 Nov '15, 16:50