[CIFS question]help me please

ronnie sahlberg ronniesahlberg at gmail.com
Tue Jun 5 03:52:55 GMT 2007

On 6/5/07, yang mikey <mikeyredmoon at gmail.com> wrote:
> Hi, everybody
> I want to do a tool to monitor the windows share folder via parsing CIFS/SMB
> packet,
> then I read some documents, but I still have many questions.
> 1. When my program is started after the user logined to server, I can only
> get the UID and TID,
>     How to get real user name and folder name via these infomation? well,
> many guys tell me
>     It's impossible...

You need to track the SessionSetupAndX calls for that tcp connection
to find the mapping between a username and a uid.
This may require that you can also decrypt kerberos.

You need to track the TreeConnectAndX calls for that tcp connection
and uid to find the mapping between a tid and a sharename.

> 2. How to get client operation type by parsing the packet, the commandcode
> in document, such as
>     SMB_COM_COPY, SMB_COM_DELETE, these messages were never appeared, Why?

Maybe the client never issued those commands?
Those two commands are very old and obsolete   so do not be surprised
if a modern windows client never issues them.

More information about the samba-technical mailing list