No. Time Source Destination Protocol Length Info 175 0.084625 10.10.10.62 10.10.10.59 DCERPC 238 Bind: call_id: 2 Fragment: Single, 2 context items, 1st SVCCTL V2.0 Frame 175: 238 bytes on wire (1904 bits), 238 bytes captured (1904 bits) Arrival Time: Dec 23, 2011 12:00:44.307456000 Mitteleuropäische Zeit Epoch Time: 1324638044.307456000 seconds [Time delta from previous captured frame: 0.000293000 seconds] [Time delta from previous displayed frame: 0.000293000 seconds] [Time since reference or first frame: 0.084625000 seconds] Frame Number: 175 Frame Length: 238 bytes (1904 bits) Capture Length: 238 bytes (1904 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb), Dst: CadmusCo_26:38:6b (08:00:27:26:38:6b) Destination: CadmusCo_26:38:6b (08:00:27:26:38:6b) Address: CadmusCo_26:38:6b (08:00:27:26:38:6b) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb) Address: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.10.10.62 (10.10.10.62), Dst: 10.10.10.59 (10.10.10.59) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 224 Identification: 0x5d9c (23964) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x73ef [correct] [Good: True] [Bad: False] Source: 10.10.10.62 (10.10.10.62) Destination: 10.10.10.59 (10.10.10.59) Transmission Control Protocol, Src Port: 50746 (50746), Dst Port: microsoft-ds (445), Seq: 182374, Ack: 1178, Len: 184 Source port: 50746 (50746) Destination port: microsoft-ds (445) [Stream index: 0] Sequence number: 182374 (relative sequence number) [Next sequence number: 182558 (relative sequence number)] Acknowledgement number: 1178 (relative ack number) Header length: 20 bytes Flags: 0x18 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgement: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 16269 [Calculated window size: 16269] [Window size scaling factor: -1 (unknown)] Checksum: 0x7dfc [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 174] [The RTT to ACK the segment was: 0.000293000 seconds] [Bytes in flight: 184] NetBIOS Session Service Message Type: Session message (0x00) Length: 180 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response in: 176] SMB Command: Write AndX (0x2f) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 6d94ebeb10be311f Reserved: 0000 Tree ID: 61446 Process ID: 65279 User ID: 24578 Multiplex ID: 18049 Write AndX Request (0x2f) Word Count (WCT): 14 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 57054 FID: 0x8003 (\svcctl) [Opened in: 172] [Closed in: 199] [File Name: \svcctl] Create Flags: 0x00000010 .... .... .... .... .... .... ...1 .... = Extended Response: Extended responses required .... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file .... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock .... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock Access Mask: 0x0012019f 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC .... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID .... .... .... ...0 .... .... .... .... = Delete: NO delete access .... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access .... .... .... .... .... .... ..0. .... = Execute: NO execute access .... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... .1.. = Append: APPEND access .... .... .... .... .... .... .... ..1. = Write: WRITE access .... .... .... .... .... .... .... ...1 = Read: READ access File Attributes: 0x00000000 .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file .... .... .... .... ..0. .... .... .... = Content Indexed: This file MAY be indexed by the content indexing service .... .... .... .... ...0 .... .... .... = Offline: This file is NOT offline .... .... .... .... .... 0... .... .... = Compressed: This is NOT a compressed file .... .... .... .... .... .0.. .... .... = Reparse Point: This file does NOT have an associated reparse point .... .... .... .... .... ..0. .... .... = Sparse: This is NOT a sparse file .... .... .... .... .... ...0 .... .... = Temporary: This is NOT a temporary file .... .... .... .... .... .... 0... .... = Normal: This file has some attribute set .... .... .... .... .... .... .0.. .... = Device: This is NOT a device .... .... .... .... .... .... ..0. .... = Archive: This file has NOT been modified since last archive .... .... .... .... .... .... ...0 .... = Directory: This is NOT a directory .... .... .... .... .... .... .... 0... = Volume ID: This is NOT a volume ID .... .... .... .... .... .... .... .0.. = System: This is NOT a system file .... .... .... .... .... .... .... ..0. = Hidden: This is NOT a hidden file .... .... .... .... .... .... .... ...0 = Read Only: This file is NOT read only Share Access: 0x00000007 SHARE_DELETE SHARE_WRITE SHARE_READ .... .... .... .... .... .... .... .1.. = Delete: Object can be shared for DELETE .... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE .... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ Create Options: 0x00400040 .... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory .... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing .... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially .... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed .... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous .... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous .... .... .... .... .... .... .1.. .... = Non-Directory: File being created/opened must not be a directory .... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set .... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set .... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes .... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names .... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly .... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed .... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set .... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create .... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create .... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set .... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open .... .... .1.. .... .... .... .... .... = Open No Recall: Open No Recall is SET .... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query [Disposition: Open (if file exists open it, else fail) (1)] Offset: 0 Reserved: ffffffff Write Mode: 0x0008 .... .... .... 1... = Message Start: This is the START of a MESSAGE (pipe) .... .... .... .0.. = Write Raw: DON'T use WriteRawNamedPipe (pipe) .... .... .... ..0. = Return Remaining: DON'T return remaining (pipe/dev) .... .... .... ...0 = Write Through: Write through not requested Remaining: 116 Data Length High (multiply with 64K): 0 Data Length Low: 116 Data Offset: 64 High Offset: 0 [File Offset: 0] [File RW Length: 116] Byte Count (BCC): 117 Padding: ee Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Fragment: Single, FragLen: 116, Call: 2 Version: 5 Version (minor): 0 Packet type: Bind (11) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 116 Auth Length: 0 Call ID: 2 Max Xmit Frag: 4280 Max Recv Frag: 4280 Assoc Group: 0x00000000 Num Ctx Items: 2 Ctx Item[1]: ID:0 Context ID: 0 Num Trans Items: 1 Abstract Syntax: SVCCTL V2.0 Interface: SVCCTL UUID: 367abb81-9844-35f1-ad32-98f038001003 Interface Ver: 2 Interface Ver Minor: 0 Transfer Syntax[1]: Version 1.1 network data representation protocol V2 Transport Syntax: Version 1.1 network data representation protocol UUID:8a885d04-1ceb-11c9-9fe8-08002b104860 ver: 2 Ctx Item[2]: ID:1 Context ID: 1 Num Trans Items: 1 Abstract Syntax: SVCCTL V2.0 Interface: SVCCTL UUID: 367abb81-9844-35f1-ad32-98f038001003 Interface Ver: 2 Interface Ver Minor: 0 Transfer Syntax[1]: 6cb71c2c-9812-4540-0300-000000000000 V1 Transport Syntax: 6cb71c2c-9812-4540-0300-000000000000 ver: 1 No. Time Source Destination Protocol Length Info 176 0.086372 10.10.10.59 10.10.10.62 SMB 105 Write AndX Response, FID: 0x8003, 116 bytes Frame 176: 105 bytes on wire (840 bits), 105 bytes captured (840 bits) Arrival Time: Dec 23, 2011 12:00:44.309203000 Mitteleuropäische Zeit Epoch Time: 1324638044.309203000 seconds [Time delta from previous captured frame: 0.001747000 seconds] [Time delta from previous displayed frame: 0.001747000 seconds] [Time since reference or first frame: 0.086372000 seconds] Frame Number: 176 Frame Length: 105 bytes (840 bits) Capture Length: 105 bytes (840 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: CadmusCo_26:38:6b (08:00:27:26:38:6b), Dst: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb) Destination: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb) Address: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: CadmusCo_26:38:6b (08:00:27:26:38:6b) Address: CadmusCo_26:38:6b (08:00:27:26:38:6b) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.10.10.59 (10.10.10.59), Dst: 10.10.10.62 (10.10.10.62) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 91 Identification: 0x7376 (29558) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x5e9a [correct] [Good: True] [Bad: False] Source: 10.10.10.59 (10.10.10.59) Destination: 10.10.10.62 (10.10.10.62) Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 50746 (50746), Seq: 1178, Ack: 182558, Len: 51 Source port: microsoft-ds (445) Destination port: 50746 (50746) [Stream index: 0] Sequence number: 1178 (relative sequence number) [Next sequence number: 1229 (relative sequence number)] Acknowledgement number: 182558 (relative ack number) Header length: 20 bytes Flags: 0x18 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgement: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 62923 [Calculated window size: 62923] [Window size scaling factor: -1 (unknown)] Checksum: 0xf155 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 175] [The RTT to ACK the segment was: 0.001747000 seconds] [Bytes in flight: 51] NetBIOS Session Service Message Type: Session message (0x00) Length: 47 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response to: 175] [Time from request: 0.001747000 seconds] SMB Command: Write AndX (0x2f) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x98 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 6294c11a0e27d05b Reserved: 0000 Tree ID: 61446 Process ID: 65279 User ID: 24578 Multiplex ID: 18049 Write AndX Response (0x2f) [FID: 0x8003 (\svcctl)] [Opened in: 172] [Closed in: 199] [File Name: \svcctl] Create Flags: 0x00000010 .... .... .... .... .... .... ...1 .... = Extended Response: Extended responses required .... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file .... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock .... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock Access Mask: 0x0012019f 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC .... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID .... .... .... ...0 .... .... .... .... = Delete: NO delete access .... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access .... .... .... .... .... .... ..0. .... = Execute: NO execute access .... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... .1.. = Append: APPEND access .... .... .... .... .... .... .... ..1. = Write: WRITE access .... .... .... .... .... .... .... ...1 = Read: READ access File Attributes: 0x00000000 .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file .... .... .... .... ..0. .... .... .... = Content Indexed: This file MAY be indexed by the content indexing service .... .... .... .... ...0 .... .... .... = Offline: This file is NOT offline .... .... .... .... .... 0... .... .... = Compressed: This is NOT a compressed file .... .... .... .... .... .0.. .... .... = Reparse Point: This file does NOT have an associated reparse point .... .... .... .... .... ..0. .... .... = Sparse: This is NOT a sparse file .... .... .... .... .... ...0 .... .... = Temporary: This is NOT a temporary file .... .... .... .... .... .... 0... .... = Normal: This file has some attribute set .... .... .... .... .... .... .0.. .... = Device: This is NOT a device .... .... .... .... .... .... ..0. .... = Archive: This file has NOT been modified since last archive .... .... .... .... .... .... ...0 .... = Directory: This is NOT a directory .... .... .... .... .... .... .... 0... = Volume ID: This is NOT a volume ID .... .... .... .... .... .... .... .0.. = System: This is NOT a system file .... .... .... .... .... .... .... ..0. = Hidden: This is NOT a hidden file .... .... .... .... .... .... .... ...0 = Read Only: This file is NOT read only Share Access: 0x00000007 SHARE_DELETE SHARE_WRITE SHARE_READ .... .... .... .... .... .... .... .1.. = Delete: Object can be shared for DELETE .... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE .... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ Create Options: 0x00400040 .... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory .... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing .... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially .... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed .... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous .... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous .... .... .... .... .... .... .1.. .... = Non-Directory: File being created/opened must not be a directory .... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set .... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set .... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes .... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names .... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly .... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed .... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set .... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create .... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create .... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set .... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open .... .... .1.. .... .... .... .... .... = Open No Recall: Open No Recall is SET .... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query [Disposition: Open (if file exists open it, else fail) (1)] Word Count (WCT): 6 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 47 [File Offset: 0] [File RW Length: 116] Count Low: 116 Remaining: 65535 Count High (multiply with 64K): 0 Reserved: 0000 Byte Count (BCC): 0 No. Time Source Destination Protocol Length Info 177 0.086545 10.10.10.62 10.10.10.59 SMB 117 Read AndX Request, FID: 0x8003, 1024 bytes at offset 0 Frame 177: 117 bytes on wire (936 bits), 117 bytes captured (936 bits) Arrival Time: Dec 23, 2011 12:00:44.309376000 Mitteleuropäische Zeit Epoch Time: 1324638044.309376000 seconds [Time delta from previous captured frame: 0.000173000 seconds] [Time delta from previous displayed frame: 0.000173000 seconds] [Time since reference or first frame: 0.086545000 seconds] Frame Number: 177 Frame Length: 117 bytes (936 bits) Capture Length: 117 bytes (936 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb), Dst: CadmusCo_26:38:6b (08:00:27:26:38:6b) Destination: CadmusCo_26:38:6b (08:00:27:26:38:6b) Address: CadmusCo_26:38:6b (08:00:27:26:38:6b) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb) Address: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.10.10.62 (10.10.10.62), Dst: 10.10.10.59 (10.10.10.59) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 103 Identification: 0x5d9d (23965) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x7467 [correct] [Good: True] [Bad: False] Source: 10.10.10.62 (10.10.10.62) Destination: 10.10.10.59 (10.10.10.59) Transmission Control Protocol, Src Port: 50746 (50746), Dst Port: microsoft-ds (445), Seq: 182558, Ack: 1229, Len: 63 Source port: 50746 (50746) Destination port: microsoft-ds (445) [Stream index: 0] Sequence number: 182558 (relative sequence number) [Next sequence number: 182621 (relative sequence number)] Acknowledgement number: 1229 (relative ack number) Header length: 20 bytes Flags: 0x18 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgement: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 16256 [Calculated window size: 16256] [Window size scaling factor: -1 (unknown)] Checksum: 0x1aaf [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 176] [The RTT to ACK the segment was: 0.000173000 seconds] [Bytes in flight: 63] NetBIOS Session Service Message Type: Session message (0x00) Length: 59 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response in: 178] SMB Command: Read AndX (0x2e) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: f6f83043b9b4ff28 Reserved: 0000 Tree ID: 61446 Process ID: 65279 User ID: 24578 Multiplex ID: 18113 Read AndX Request (0x2e) Word Count (WCT): 12 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 57054 FID: 0x8003 (\svcctl) [Opened in: 172] [Closed in: 199] [File Name: \svcctl] Create Flags: 0x00000010 .... .... .... .... .... .... ...1 .... = Extended Response: Extended responses required .... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file .... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock .... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock Access Mask: 0x0012019f 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC .... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID .... .... .... ...0 .... .... .... .... = Delete: NO delete access .... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access .... .... .... .... .... .... ..0. .... = Execute: NO execute access .... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... .1.. = Append: APPEND access .... .... .... .... .... .... .... ..1. = Write: WRITE access .... .... .... .... .... .... .... ...1 = Read: READ access File Attributes: 0x00000000 .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file .... .... .... .... ..0. .... .... .... = Content Indexed: This file MAY be indexed by the content indexing service .... .... .... .... ...0 .... .... .... = Offline: This file is NOT offline .... .... .... .... .... 0... .... .... = Compressed: This is NOT a compressed file .... .... .... .... .... .0.. .... .... = Reparse Point: This file does NOT have an associated reparse point .... .... .... .... .... ..0. .... .... = Sparse: This is NOT a sparse file .... .... .... .... .... ...0 .... .... = Temporary: This is NOT a temporary file .... .... .... .... .... .... 0... .... = Normal: This file has some attribute set .... .... .... .... .... .... .0.. .... = Device: This is NOT a device .... .... .... .... .... .... ..0. .... = Archive: This file has NOT been modified since last archive .... .... .... .... .... .... ...0 .... = Directory: This is NOT a directory .... .... .... .... .... .... .... 0... = Volume ID: This is NOT a volume ID .... .... .... .... .... .... .... .0.. = System: This is NOT a system file .... .... .... .... .... .... .... ..0. = Hidden: This is NOT a hidden file .... .... .... .... .... .... .... ...0 = Read Only: This file is NOT read only Share Access: 0x00000007 SHARE_DELETE SHARE_WRITE SHARE_READ .... .... .... .... .... .... .... .1.. = Delete: Object can be shared for DELETE .... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE .... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ Create Options: 0x00400040 .... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory .... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing .... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially .... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed .... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous .... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous .... .... .... .... .... .... .1.. .... = Non-Directory: File being created/opened must not be a directory .... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set .... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set .... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes .... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names .... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly .... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed .... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set .... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create .... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create .... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set .... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open .... .... .1.. .... .... .... .... .... = Open No Recall: Open No Recall is SET .... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query [Disposition: Open (if file exists open it, else fail) (1)] Offset: 0 Max Count Low: 1024 Min Count: 1024 Remaining: 1024 High Offset: 0 [File Offset: 0] [File RW Length: 1024] Byte Count (BCC): 0 No. Time Source Destination Protocol Length Info 178 0.088092 10.10.10.59 10.10.10.62 DCERPC 210 Bind_ack: call_id: 2 Fragment: Single Unknown result (3), reason: Abstract syntax not supported Frame 178: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits) Arrival Time: Dec 23, 2011 12:00:44.310923000 Mitteleuropäische Zeit Epoch Time: 1324638044.310923000 seconds [Time delta from previous captured frame: 0.001547000 seconds] [Time delta from previous displayed frame: 0.001547000 seconds] [Time since reference or first frame: 0.088092000 seconds] Frame Number: 178 Frame Length: 210 bytes (1680 bits) Capture Length: 210 bytes (1680 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:nbss:smb:dcerpc] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: CadmusCo_26:38:6b (08:00:27:26:38:6b), Dst: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb) Destination: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb) Address: Giga-Byt_c1:9b:fb (00:24:1d:c1:9b:fb) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: CadmusCo_26:38:6b (08:00:27:26:38:6b) Address: CadmusCo_26:38:6b (08:00:27:26:38:6b) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.10.10.59 (10.10.10.59), Dst: 10.10.10.62 (10.10.10.62) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 196 Identification: 0x7377 (29559) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x5e30 [correct] [Good: True] [Bad: False] Source: 10.10.10.59 (10.10.10.59) Destination: 10.10.10.62 (10.10.10.62) Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 50746 (50746), Seq: 1229, Ack: 182621, Len: 156 Source port: microsoft-ds (445) Destination port: 50746 (50746) [Stream index: 0] Sequence number: 1229 (relative sequence number) [Next sequence number: 1385 (relative sequence number)] Acknowledgement number: 182621 (relative ack number) Header length: 20 bytes Flags: 0x18 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgement: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 62860 [Calculated window size: 62860] [Window size scaling factor: -1 (unknown)] Checksum: 0xf231 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 177] [The RTT to ACK the segment was: 0.001547000 seconds] [Bytes in flight: 156] NetBIOS Session Service Message Type: Session message (0x00) Length: 152 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response to: 177] [Time from request: 0.001547000 seconds] SMB Command: Read AndX (0x2e) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x98 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: eb5f867bcfc430e9 Reserved: 0000 Tree ID: 61446 Process ID: 65279 User ID: 24578 Multiplex ID: 18113 Read AndX Response (0x2e) [FID: 0x8003 (\svcctl)] [Opened in: 172] [Closed in: 199] [File Name: \svcctl] Create Flags: 0x00000010 .... .... .... .... .... .... ...1 .... = Extended Response: Extended responses required .... .... .... .... .... .... .... 0... = Create Directory: Target of open can be a file .... .... .... .... .... .... .... .0.. = Batch Oplock: Does NOT request batch oplock .... .... .... .... .... .... .... ..0. = Exclusive Oplock: Does NOT request oplock Access Mask: 0x0012019f 0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership) .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC .... .... .... ..1. .... .... .... .... = Read Control: READ ACCESS to owner, group and ACL of the SID .... .... .... ...0 .... .... .... .... = Delete: NO delete access .... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access .... .... .... .... .... .... ..0. .... = Execute: NO execute access .... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... 1... = Read EA: READ EXTENDED ATTRIBUTES access .... .... .... .... .... .... .... .1.. = Append: APPEND access .... .... .... .... .... .... .... ..1. = Write: WRITE access .... .... .... .... .... .... .... ...1 = Read: READ access File Attributes: 0x00000000 .... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file .... .... .... .... ..0. .... .... .... = Content Indexed: This file MAY be indexed by the content indexing service .... .... .... .... ...0 .... .... .... = Offline: This file is NOT offline .... .... .... .... .... 0... .... .... = Compressed: This is NOT a compressed file .... .... .... .... .... .0.. .... .... = Reparse Point: This file does NOT have an associated reparse point .... .... .... .... .... ..0. .... .... = Sparse: This is NOT a sparse file .... .... .... .... .... ...0 .... .... = Temporary: This is NOT a temporary file .... .... .... .... .... .... 0... .... = Normal: This file has some attribute set .... .... .... .... .... .... .0.. .... = Device: This is NOT a device .... .... .... .... .... .... ..0. .... = Archive: This file has NOT been modified since last archive .... .... .... .... .... .... ...0 .... = Directory: This is NOT a directory .... .... .... .... .... .... .... 0... = Volume ID: This is NOT a volume ID .... .... .... .... .... .... .... .0.. = System: This is NOT a system file .... .... .... .... .... .... .... ..0. = Hidden: This is NOT a hidden file .... .... .... .... .... .... .... ...0 = Read Only: This file is NOT read only Share Access: 0x00000007 SHARE_DELETE SHARE_WRITE SHARE_READ .... .... .... .... .... .... .... .1.. = Delete: Object can be shared for DELETE .... .... .... .... .... .... .... ..1. = Write: Object can be shared for WRITE .... .... .... .... .... .... .... ...1 = Read: Object can be shared for READ Create Options: 0x00400040 .... .... .... .... .... .... .... ...0 = Directory: File being created/opened must not be a directory .... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing .... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially .... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed .... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous .... .... .... .... .... .... ..0. .... = Sync I/O Nonalert: Operations NOT necessarily synchronous .... .... .... .... .... .... .1.. .... = Non-Directory: File being created/opened must not be a directory .... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set .... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set .... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes .... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names .... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly .... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed .... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set .... .... .... .... .0.. .... .... .... = Backup Intent: This is a normal create .... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create .... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set .... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open .... .... .1.. .... .... .... .... .... = Open No Recall: Open No Recall is SET .... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query [Disposition: Open (if file exists open it, else fail) (1)] Word Count (WCT): 12 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 0 [File Offset: 0] [File RW Length: 1024] Remaining: 0 Data Compaction Mode: 0 Reserved: 0000 Data Length Low: 92 Data Offset: 60 Data Length High (multiply with 64K): 0 Reserved: 000000000000 Byte Count (BCC): 93 Padding: 00 Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind_ack, Fragment: Single, FragLen: 92, Call: 2 Version: 5 Version (minor): 0 Packet type: Bind_ack (12) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 92 Auth Length: 0 Call ID: 2 Max Xmit Frag: 4280 Max Recv Frag: 4280 Assoc Group: 0x0009456e Scndry Addr len: 13 Scndry Addr: \pipe\ntsvcs Num results: 2 Context ID[1] Ack result: Acceptance (0) Transfer Syntax: Version 1.1 network data representation protocol Syntax ver: 2 Context ID[2] Ack result: Unknown (3) Ack reason: Abstract syntax not supported (1) Transfer Syntax: NULL Syntax ver: 0