> tcpdump traces are difficult to follow: they don't decode dce/rpc packets. binary tcpdump traces (from the -w option) are very useful. They can be converted to netmon format using capconvert. See the tcpdump-smb directory on the samba ftp site.