[CIFS question]help me please
ronnie sahlberg
ronniesahlberg at gmail.com
Tue Jun 5 03:52:55 GMT 2007
On 6/5/07, yang mikey <mikeyredmoon at gmail.com> wrote:
> Hi, everybody
> I want to do a tool to monitor the windows share folder via parsing CIFS/SMB
> packet,
> then I read some documents, but I still have many questions.
>
> 1. When my program is started after the user logined to server, I can only
> get the UID and TID,
> How to get real user name and folder name via these infomation? well,
> many guys tell me
> It's impossible...
You need to track the SessionSetupAndX calls for that tcp connection
to find the mapping between a username and a uid.
This may require that you can also decrypt kerberos.
You need to track the TreeConnectAndX calls for that tcp connection
and uid to find the mapping between a tid and a sharename.
>
> 2. How to get client operation type by parsing the packet, the commandcode
> in document, such as
> SMB_COM_COPY, SMB_COM_DELETE, these messages were never appeared, Why?
Maybe the client never issued those commands?
Those two commands are very old and obsolete so do not be surprised
if a modern windows client never issues them.
More information about the samba-technical
mailing list