[Samba] Cannot set ACL rights for group "Authenticated Users"
(SID S-1-5-11)\
Jens Nissen
jens.nissen at gmx.net
Mon Apr 16 15:08:30 GMT 2007
Jeremy Allison wrote:
> On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote:
>> I cannot set rights on a arbitrary file or folder for the Windows
>> predefined group "Authenticated Users" (which has SID S-1-5-11) via
>> SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.
>>
>> Everything else works:
>> - I can set rights for any other domain group.
>> - I can read the ACL entry for "Authenticated Users" in the Windows 2000
>> File Attribute Dialog if I set it manually with setfacl before
>> - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
>> with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
>> existence of this predefined group.
>>
>> What am I doing wrong? Is this supposed to work?
>> Is there a workaround or any other suitable mapping for this group?
>>
>> In the "Unofficial Samba + ACL Howto", there is a reference (chapter
>> 3.1.4) that this might not work, but that was back in 2003 and 4 years
>> have passed since then.
>
> What fails ? Selecting the user in the GUI ? More info on
> exactly what isn't working would be good.
>
> Jeremy.
>
I would like to add an ethereal capture of what I think is a bug in
Samba 3.0.23d:
In packet 20, the group with SID is 1-5-11 is sent (along with other
SIDs) to the Samba Server.
In packet 21, the Samba Server acknowledges the packet positively.
In packet 28, Windows 2000 asks for the NT-ACLs again
In packet 29, it becomes obvious, that Samba forgot to set the ACL for
SID S-1-5-11
I think, this is a bug - or am I missing something essential?
The same operation works with a Windows 2000 Server, so Samba is
definitely different here than the Windows Server it tries to replace.
--------------------------------------
Capture Overview:
--------------------------------------
No. Time Source Destination Protocol
Info
16 2.901596 192.168.1.4 192.168.1.3 SMB
NT Create AndX Request, Path: \Nasdrive5\shared\test\KleineGruppeDatei
17 2.905511 192.168.1.3 192.168.1.4 SMB
NT Create AndX Response, FID: 0x1e1f
18 2.905927 192.168.1.4 192.168.1.3 SMB
Trans2 Request, QUERY_FILE_INFO, FID: 0x1e1f, Query File Basic Info
19 2.908848 192.168.1.3 192.168.1.4 SMB
Trans2 Response, QUERY_FILE_INFO
20 2.909376 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT SET SECURITY DESC, FID: 0x1e1f
21 2.914634 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT SET SECURITY DESC
22 2.915064 192.168.1.4 192.168.1.3 SMB
Close Request, FID: 0x1e1f
23 2.918907 192.168.1.3 192.168.1.4 SMB
Close Response
24 2.919679 192.168.1.4 192.168.1.3 SMB
NT Create AndX Request, Path: \Nasdrive5\shared\test\KleineGruppeDatei
25 2.923559 192.168.1.3 192.168.1.4 SMB
NT Create AndX Response, FID: 0x1e20
26 2.923941 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT QUERY SECURITY DESC, FID: 0x1e20
27 2.927879 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT QUERY SECURITY DESC, Error: STATUS_BUFFER_TOO_SMALL
28 2.928246 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT QUERY SECURITY DESC, FID: 0x1e20
29 2.932058 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT QUERY SECURITY DESC
30 2.932521 192.168.1.4 192.168.1.3 SMB
Close Request, FID: 0x1e20
31 2.936432 192.168.1.3 192.168.1.4 SMB
Close Response
--------------------------------------
Capture Details:
--------------------------------------
No. Time Source Destination Protocol
Info
16 2.901596 192.168.1.4 192.168.1.3 SMB
NT Create AndX Request, Path: \Nasdrive5\shared\test\KleineGruppeDatei
Frame 16 (224 bytes on wire, 224 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.889239000
[Time delta from previous packet: 0.000409000 seconds]
[Time since reference or first frame: 2.901596000 seconds]
Frame Number: 16
Packet Length: 224 bytes
Capture Length: 224 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 210
Identification: 0x92c3 (37571)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe40a [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 843, Ack: 600, Len: 170
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 843 (relative sequence number)
[Next sequence number: 1013 (relative sequence number)]
Acknowledgement number: 600 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16393
Checksum: 0x34d5 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 15]
[The RTT to ACK the segment was: 0.000409000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 166
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 17]
SMB Command: NT Create AndX (0xa2)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56129
NT Create AndX Request (0xa2)
Word Count (WCT): 24
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 57054
Reserved: 00
File Name Len: 80
Create Flags: 0x00000010
.... .... .... .... .... .... ...1 .... = Extended Response:
Extended responses required
.... .... .... .... .... .... .... 0... = Create Directory:
Target of open can be a file
.... .... .... .... .... .... .... .0.. = Batch Oplock: Does
NOT request batch oplock
.... .... .... .... .... .... .... ..0. = Exclusive Oplock:
Does NOT request oplock
Root FID: 0x00000000
Access Mask: 0x00060080
0... .... .... .... .... .... .... .... = Generic Read:
Generic read is NOT set
.0.. .... .... .... .... .... .... .... = Generic Write:
Generic write is NOT set
..0. .... .... .... .... .... .... .... = Generic Execute:
Generic execute is NOT set
...0 .... .... .... .... .... .... .... = Generic All:
Generic all is NOT set
.... ..0. .... .... .... .... .... .... = Maximum Allowed:
Maximum allowed is NOT set
.... ...0 .... .... .... .... .... .... = System Security:
System security is NOT set
.... .... ...0 .... .... .... .... .... = Synchronize: Can
NOT wait on handle to synchronize on completion of I/O
.... .... .... 0... .... .... .... .... = Write Owner: Can
NOT write owner (take ownership)
.... .... .... .1.. .... .... .... .... = Write DAC: OWNER
may WRITE the DAC
.... .... .... ..1. .... .... .... .... = Read Control: READ
ACCESS to owner, group and ACL of the SID
.... .... .... ...0 .... .... .... .... = Delete: NO delete
access
.... .... .... .... .... ...0 .... .... = Write Attributes:
NO write attributes access
.... .... .... .... .... .... 1... .... = Read Attributes:
READ ATTRIBUTES access
.... .... .... .... .... .... .0.. .... = Delete Child: NO
delete child access
.... .... .... .... .... .... ..0. .... = Execute: NO
execute access
.... .... .... .... .... .... ...0 .... = Write EA: NO write
extended attributes access
.... .... .... .... .... .... .... 0... = Read EA: NO read
extended attributes access
.... .... .... .... .... .... .... .0.. = Append: NO append
access
.... .... .... .... .... .... .... ..0. = Write: NO write access
.... .... .... .... .... .... .... ...0 = Read: NO read access
Allocation Size: 0
File Attributes: 0x00000000
.... .... .... .... .0.. .... .... .... = Encrypted: This is
NOT an encrypted file
.... .... .... .... ..0. .... .... .... = Content Indexed:
This file MAY be indexed by the content indexing service
.... .... .... .... ...0 .... .... .... = Offline: This file
is NOT offline
.... .... .... .... .... 0... .... .... = Compressed: This
is NOT a compressed file
.... .... .... .... .... .0.. .... .... = Reparse Point:
This file does NOT have an associated reparse point
.... .... .... .... .... ..0. .... .... = Sparse: This is
NOT a sparse file
.... .... .... .... .... ...0 .... .... = Temporary: This is
NOT a temporary file
.... .... .... .... .... .... 0... .... = Normal: This file
has some attribute set
.... .... .... .... .... .... .0.. .... = Device: This is
NOT a device
.... .... .... .... .... .... ..0. .... = Archive: This file
has NOT been modified since last archive
.... .... .... .... .... .... ...0 .... = Directory: This is
NOT a directory
.... .... .... .... .... .... .... 0... = Volume ID: This is
NOT a volume ID
.... .... .... .... .... .... .... .0.. = System: This is
NOT a system file
.... .... .... .... .... .... .... ..0. = Hidden: This is
NOT a hidden file
.... .... .... .... .... .... .... ...0 = Read Only: This
file is NOT read only
Share Access: 0x00000007
.... .... .... .... .... .... .... .1.. = Delete: Object can
be shared for DELETE
.... .... .... .... .... .... .... ..1. = Write: Object can
be shared for WRITE
.... .... .... .... .... .... .... ...1 = Read: Object can
be shared for READ
Disposition: Open (if file exists open it, else fail) (1)
Create Options: 0x00200000
.... .... .... .... .... .... .... ...0 = Directory: File
being created/opened must not be a directory
.... .... .... .... .... .... .... ..0. = Write Through:
Writes need not flush buffered data before completing
.... .... .... .... .... .... .... .0.. = Sequential Only:
The file might not only be accessed sequentially
.... .... .... .... .... .... .... 0... = Intermediate
Buffering: Intermediate buffering is allowed
.... .... .... .... .... .... ...0 .... = Sync I/O Alert:
Operations NOT necessarily synchronous
.... .... .... .... .... .... ..0. .... = Sync I/O Nonalert:
Operations NOT necessarily synchronous
.... .... .... .... .... .... .0.. .... = Non-Directory:
File being created/opened must be a directory
.... .... .... .... .... .... 0... .... = Create Tree
Connection: Create Tree Connections is NOT set
.... .... .... .... .... ...0 .... .... = Complete If
Oplocked: Complete if oplocked is NOT set
.... .... .... .... .... ..0. .... .... = No EA Knowledge:
The client understands extended attributes
.... .... .... .... .... .0.. .... .... = 8.3 Only: The
client understands long file names
.... .... .... .... .... 0... .... .... = Random Access: The
file will not be accessed randomly
.... .... .... .... ...0 .... .... .... = Delete On Close:
The file should not be deleted when it is closed
.... .... .... .... ..0. .... .... .... = Open By FileID:
OpenByFileID is NOT set
.... .... .... .... .0.. .... .... .... = Backup Intent:
This is a normal create
.... .... .... .... 0... .... .... .... = No Compression:
Compression is allowed for Open/Create
.... .... ...0 .... .... .... .... .... = Reserve Opfilter:
Reserve Opfilter is NOT set
.... .... ..1. .... .... .... .... .... = Open Reparse
Point: Open a Reparse Point
.... .... .0.. .... .... .... .... .... = Open No Recall:
Open no recall is NOT set
.... .... 0... .... .... .... .... .... = Open For Free
Space query: This is NOT an open for free space query
Impersonation: Impersonation (2)
Security Flags: 0x00
.... ...0 = Context Tracking: Security tracking mode is STATIC
.... ..0. = Effective Only: ALL aspects of the client's
security context are available
Byte Count (BCC): 83
File Name: \Nasdrive5\shared\test\KleineGruppeDatei
No. Time Source Destination Protocol
Info
17 2.905511 192.168.1.3 192.168.1.4 SMB
NT Create AndX Response, FID: 0x1e1f
Frame 17 (161 bytes on wire, 161 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.893154000
[Time delta from previous packet: 0.003915000 seconds]
[Time since reference or first frame: 2.905511000 seconds]
Frame Number: 17
Packet Length: 161 bytes
Capture Length: 161 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 147
Identification: 0x3963 (14691)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7d9a [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 600, Ack: 1013, Len: 107
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 600 (relative sequence number)
[Next sequence number: 707 (relative sequence number)]
Acknowledgement number: 1013 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0x61c9 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 16]
[The RTT to ACK the segment was: 0.003915000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 103
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 16]
[Time from request: 0.003915000 seconds]
SMB Command: NT Create AndX (0xa2)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56129
NT Create AndX Response (0xa2)
Word Count (WCT): 34
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
Oplock level: No oplock granted (0)
FID: 0x1e1f
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 17]
[Closed in: 22]
Create action: The file existed and was opened (1)
Created: Apr 12, 2007 16:25:34.000000000
Last Access: Apr 12, 2007 16:25:34.000000000
Last Write: Apr 12, 2007 16:25:34.000000000
Change: Apr 12, 2007 16:25:34.000000000
File Attributes: 0x00000020
.... .... .... .... .0.. .... .... .... = Encrypted: This is
NOT an encrypted file
.... .... .... .... ..0. .... .... .... = Content Indexed:
This file MAY be indexed by the content indexing service
.... .... .... .... ...0 .... .... .... = Offline: This file
is NOT offline
.... .... .... .... .... 0... .... .... = Compressed: This
is NOT a compressed file
.... .... .... .... .... .0.. .... .... = Reparse Point:
This file does NOT have an associated reparse point
.... .... .... .... .... ..0. .... .... = Sparse: This is
NOT a sparse file
.... .... .... .... .... ...0 .... .... = Temporary: This is
NOT a temporary file
.... .... .... .... .... .... 0... .... = Normal: This file
has some attribute set
.... .... .... .... .... .... .0.. .... = Device: This is
NOT a device
.... .... .... .... .... .... ..1. .... = Archive: This file
has been modified since last ARCHIVE
.... .... .... .... .... .... ...0 .... = Directory: This is
NOT a directory
.... .... .... .... .... .... .... 0... = Volume ID: This is
NOT a volume ID
.... .... .... .... .... .... .... .0.. = System: This is
NOT a system file
.... .... .... .... .... .... .... ..0. = Hidden: This is
NOT a hidden file
.... .... .... .... .... .... .... ...0 = Read Only: This
file is NOT read only
Allocation Size: 1048576
End Of File: 0
File Type: Disk file or directory (0)
IPC State: 0x0007
0... .... .... .... = Nonblocking: Reads/writes block if no
data available
.0.. .... .... .... = Endpoint: Consumer end of pipe (0)
.... 00.. .... .... = Pipe Type: Byte stream pipe (0)
.... ..00 .... .... = Read Mode: Read pipe as a byte stream (0)
.... .... 0000 0111 = Icount: 7
Is Directory: This is NOT a directory (0)
Byte Count (BCC): 0
No. Time Source Destination Protocol
Info
18 2.905927 192.168.1.4 192.168.1.3 SMB
Trans2 Request, QUERY_FILE_INFO, FID: 0x1e1f, Query File Basic Info
Frame 18 (130 bytes on wire, 130 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.893570000
[Time delta from previous packet: 0.000416000 seconds]
[Time since reference or first frame: 2.905927000 seconds]
Frame Number: 18
Packet Length: 130 bytes
Capture Length: 130 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 116
Identification: 0x92c4 (37572)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe467 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1013, Ack: 707, Len: 76
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1013 (relative sequence number)
[Next sequence number: 1089 (relative sequence number)]
Acknowledgement number: 707 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16286
Checksum: 0x1239 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 17]
[The RTT to ACK the segment was: 0.000416000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 72
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 19]
SMB Command: Trans2 (0x32)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56193
Trans2 Request (0x32)
Word Count (WCT): 15
Total Parameter Count: 4
Total Data Count: 0
Max Parameter Count: 2
Max Data Count: 40
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 4
Parameter Offset: 68
Data Count: 0
Data Offset: 0
Setup Count: 1
Reserved: 00
Subcommand: QUERY_FILE_INFO (0x0007)
Byte Count (BCC): 7
Padding: 170A32
QUERY_FILE_INFO Parameters
FID: 0x1e1f
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 17]
[Closed in: 22]
Level of Interest: Query File Basic Info (1004)
No. Time Source Destination Protocol
Info
19 2.908848 192.168.1.3 192.168.1.4 SMB
Trans2 Response, QUERY_FILE_INFO
Frame 19 (158 bytes on wire, 158 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.896491000
[Time delta from previous packet: 0.002921000 seconds]
[Time since reference or first frame: 2.908848000 seconds]
Frame Number: 19
Packet Length: 158 bytes
Capture Length: 158 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 144
Identification: 0x3964 (14692)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7d9c [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 707, Ack: 1089, Len: 104
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 707 (relative sequence number)
[Next sequence number: 811 (relative sequence number)]
Acknowledgement number: 1089 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0xa040 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 18]
[The RTT to ACK the segment was: 0.002921000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 100
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 18]
[Time from request: 0.002921000 seconds]
SMB Command: Trans2 (0x32)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc841
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .1.. .... = Long Names Used: Path names in request
are long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56193
Trans2 Response (0x32)
Subcommand: QUERY_FILE_INFO (0x0007)
Word Count (WCT): 10
Total Parameter Count: 2
Total Data Count: 40
Reserved: 0000
Parameter Count: 2
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 40
Data Offset: 60
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 45
Padding: 00
QUERY_FILE_INFO Parameters
EA Error offset: 0
Padding: 0000
QUERY_FILE_INFO Data
Created: Apr 12, 2007 16:25:34.000000000
Last Access: Apr 12, 2007 16:25:34.000000000
Last Write: Apr 12, 2007 16:25:34.000000000
Change: Apr 12, 2007 16:25:34.000000000
File Attributes: 0x00000020
.0.. .... .... .... = Encrypted: This is NOT an
encrypted file
..0. .... .... .... = Content Indexed: This file MAY be
indexed by the content indexing service
...0 .... .... .... = Offline: This file is NOT offline
.... 0... .... .... = Compressed: This is NOT a
compressed file
.... .0.. .... .... = Reparse Point: This file does NOT
have an associated reparse point
.... ..0. .... .... = Sparse: This is NOT a sparse file
.... ...0 .... .... = Temporary: This is NOT a temporary
file
.... .... 0... .... = Normal: This file has some
attribute set
.... .... .0.. .... = Device: This is NOT a device
.... .... ..1. .... = Archive: This file has been
modified since last ARCHIVE
.... .... ...0 .... = Directory: This is NOT a directory
.... .... .... 0... = Volume ID: This is NOT a volume ID
.... .... .... .0.. = System: This is NOT a system file
.... .... .... ..0. = Hidden: This is NOT a hidden file
.... .... .... ...0 = Read Only: This file is NOT read only
Unknown Data: 00000000
No. Time Source Destination Protocol
Info
20 2.909376 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT SET SECURITY DESC, FID: 0x1e1f
Frame 20 (362 bytes on wire, 362 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.897019000
[Time delta from previous packet: 0.000528000 seconds]
[Time since reference or first frame: 2.909376000 seconds]
Frame Number: 20
Packet Length: 362 bytes
Capture Length: 362 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 348
Identification: 0x92c5 (37573)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe37e [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1089, Ack: 811, Len: 308
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1089 (relative sequence number)
[Next sequence number: 1397 (relative sequence number)]
Acknowledgement number: 811 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16182
Checksum: 0x82d7 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 19]
[The RTT to ACK the segment was: 0.000528000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 304
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 21]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56257
NT Trans Request (0xa0)
Word Count (WCT): 19
Max Setup Count: 0
Reserved: 0000
Total Parameter Count: 8
Total Data Count: 220
Max Parameter Count: 0
Max Data Count: 0
Parameter Count: 8
Parameter Offset: 76
Data Count: 220
Data Offset: 84
Setup Count: 0
Function: NT SET SECURITY DESC (3)
Byte Count (BCC): 231
Padding: 000000
NT SET SECURITY DESC Parameters
FID: 0x1e1f
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 17]
[Closed in: 22]
Reserved: 0000
Security Information: 0x80000004
.... .... .... .... .... .... .... ...0 = Owner: NOT
requesting owner security information
.... .... .... .... .... .... .... ..0. = Group: NOT
requesting group security information
.... .... .... .... .... .... .... .1.. = DACL:
Requesting DACL security information
.... .... .... .... .... .... .... 0... = SACL: NOT
requesting SACL security information
NT SET SECURITY DESC Data
NT Security Descriptor
Revision: 1
Type: 0x9d04
1... .... .... .... = Self Relative: This SecDesc is
SELF RELATIVE
.0.. .... .... .... = RM Control Valid: Rm control
valid is FALSE
..0. .... .... .... = SACL Protected: The SACL is
NOT protected
...1 .... .... .... = DACL Protected: The DACL is
PROTECTED
.... 1... .... .... = SACL Auto Inherited: SACL is
AUTO INHERITED
.... .1.. .... .... = DACL Auto Inherited: DACL is
AUTO INHERITED
.... ..0. .... .... = SACL Auto Inherit Required:
SACL does NOT require auto inherit
.... ...1 .... .... = DACL Auto Inherit Required:
DACL has AUTO INHERIT REQUIRED
.... .... 0... .... = Server Security: Server
security is FALSE
.... .... .0.. .... = DACL Trusted: Dacl trusted is
FALSE
.... .... ..0. .... = SACL Defaulted: SACL is NOT
defaulted
.... .... ...0 .... = SACL Present: SACL is NOT present
.... .... .... 0... = DACL Defaulted: DACL is NOT
defaulted
.... .... .... .1.. = DACL Present: DACL is PRESENT
.... .... .... ..0. = Group Defaulted: Group is NOT
defaulted
.... .... .... ...0 = Owner Defaulted: Owner is NOT
defaulted
Offset to owner SID: 176
Offset to group SID: 192
Offset to SACL: 0
Offset to DACL: 20
Owner: S-1-5-32-544
Revision: 1
Num Auth: 2
Authority: 5
Sub-authorities: 32-544
Group: S-1-5-21-1214440339-113007714-839522115-513
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities: 21-1214440339-113007714-839522115
RID: 513 (Domain Users)
NT User (DACL) ACL
Revision: NT4 (2)
Size: 156
Num ACEs: 5
NT ACE: S-1-5-21-1214440339-113007714-839522115-500,
flags 0x00, Access Allowed, mask 0x001f01ff
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x001f01ff
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x001f0000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 1... .... .... .... ....
= Write owner: Set
.... .... .... .1.. .... .... .... ....
= Write DAC: Set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...1 .... .... .... ....
= Delete: Set
FILE specific rights: 0x000001ff
[FULL CONTROL]
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..1. ....
= Execute: Set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-500
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 500 (Administrator)
NT ACE: S-1-5-11, flags 0x00, Access Allowed, mask
0x001200a9
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 20
Access required: 0x001200a9
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x000000a9
.... .... .... .... .... ...0 .... ....
= Write Attribute: Not set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..1. ....
= Execute: Set
.... .... .... .... .... .... ...0 ....
= Write EA: Not set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .0..
= Append Data: Not set
.... .... .... .... .... .... .... ..0.
= Write Data: Not set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-11
Revision: 1
Num Auth: 1
Authority: 5
Sub-authorities: 11
NT ACE: S-1-5-21-1214440339-113007714-839522115-513,
flags 0x00, Access Allowed, mask 0x0012019f
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x0012019f
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x0000019f
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..0. ....
= Execute: Not set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-513
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 513 (Domain Users)
NT ACE: S-1-1-0, flags 0x00, Access Allowed, mask
0x0012019f
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 20
Access required: 0x0012019f
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x0000019f
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..0. ....
= Execute: Not set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-1-0
Revision: 1
Num Auth: 1
Authority: 1
Sub-authorities: 0
NT ACE:
S-1-5-21-1214440339-113007714-839522115-25226, flags 0x00, Access
Allowed, mask 0x001200a9
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x001200a9
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x000000a9
.... .... .... .... .... ...0 .... ....
= Write Attribute: Not set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..1. ....
= Execute: Set
.... .... .... .... .... .... ...0 ....
= Write EA: Not set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .0..
= Append Data: Not set
.... .... .... .... .... .... .... ..0.
= Write Data: Not set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-25226
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 25226
No. Time Source Destination Protocol
Info
21 2.914634 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT SET SECURITY DESC
Frame 21 (129 bytes on wire, 129 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.902277000
[Time delta from previous packet: 0.005258000 seconds]
[Time since reference or first frame: 2.914634000 seconds]
Frame Number: 21
Packet Length: 129 bytes
Capture Length: 129 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 115
Identification: 0x3965 (14693)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7db8 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 811, Ack: 1397, Len: 75
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 811 (relative sequence number)
[Next sequence number: 886 (relative sequence number)]
Acknowledgement number: 1397 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0x5294 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 20]
[The RTT to ACK the segment was: 0.005258000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 71
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 20]
[Time from request: 0.005258000 seconds]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc841
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .1.. .... = Long Names Used: Path names in request
are long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56257
NT Trans Response (0xa0)
Function: NT SET SECURITY DESC (3)
Word Count (WCT): 18
Reserved: 000000
Total Parameter Count: 0
Total Data Count: 0
Parameter Count: 0
Parameter Offset: 0
Parameter Displacement: 0
Data Count: 0
Data Offset: 0
Data Displacement: 0
Setup Count: 0
Byte Count (BCC): 0
No. Time Source Destination Protocol
Info
22 2.915064 192.168.1.4 192.168.1.3 SMB
Close Request, FID: 0x1e1f
Frame 22 (99 bytes on wire, 99 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.902707000
[Time delta from previous packet: 0.000430000 seconds]
[Time since reference or first frame: 2.915064000 seconds]
Frame Number: 22
Packet Length: 99 bytes
Capture Length: 99 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 85
Identification: 0x92c6 (37574)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe484 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1397, Ack: 886, Len: 45
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1397 (relative sequence number)
[Next sequence number: 1442 (relative sequence number)]
Acknowledgement number: 886 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16107
Checksum: 0x86cd [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 21]
[The RTT to ACK the segment was: 0.000430000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 41
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 23]
SMB Command: Close (0x04)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 65279
User ID: 101
Multiplex ID: 56321
Close Request (0x04)
Word Count (WCT): 3
FID: 0x1e1f
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 17]
[Closed in: 22]
Last Write: No time specified (0xffffffff)
Byte Count (BCC): 0
No. Time Source Destination Protocol
Info
23 2.918907 192.168.1.3 192.168.1.4 SMB
Close Response
Frame 23 (93 bytes on wire, 93 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.906550000
[Time delta from previous packet: 0.003843000 seconds]
[Time since reference or first frame: 2.918907000 seconds]
Frame Number: 23
Packet Length: 93 bytes
Capture Length: 93 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 79
Identification: 0x3966 (14694)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7ddb [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 886, Ack: 1442, Len: 39
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 886 (relative sequence number)
[Next sequence number: 925 (relative sequence number)]
Acknowledgement number: 1442 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0xc46a [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 22]
[The RTT to ACK the segment was: 0.003843000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 35
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 22]
[Time from request: 0.003843000 seconds]
SMB Command: Close (0x04)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 65279
User ID: 101
Multiplex ID: 56321
Close Response (0x04)
Word Count (WCT): 0
Byte Count (BCC): 0
No. Time Source Destination Protocol
Info
24 2.919679 192.168.1.4 192.168.1.3 SMB
NT Create AndX Request, Path: \Nasdrive5\shared\test\KleineGruppeDatei
Frame 24 (224 bytes on wire, 224 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.907322000
[Time delta from previous packet: 0.000772000 seconds]
[Time since reference or first frame: 2.919679000 seconds]
Frame Number: 24
Packet Length: 224 bytes
Capture Length: 224 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 210
Identification: 0x92c7 (37575)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe406 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1442, Ack: 925, Len: 170
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1442 (relative sequence number)
[Next sequence number: 1612 (relative sequence number)]
Acknowledgement number: 925 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16068
Checksum: 0x367d [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 23]
[The RTT to ACK the segment was: 0.000772000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 166
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 25]
SMB Command: NT Create AndX (0xa2)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56385
NT Create AndX Request (0xa2)
Word Count (WCT): 24
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 57054
Reserved: 00
File Name Len: 80
Create Flags: 0x00000010
.... .... .... .... .... .... ...1 .... = Extended Response:
Extended responses required
.... .... .... .... .... .... .... 0... = Create Directory:
Target of open can be a file
.... .... .... .... .... .... .... .0.. = Batch Oplock: Does
NOT request batch oplock
.... .... .... .... .... .... .... ..0. = Exclusive Oplock:
Does NOT request oplock
Root FID: 0x00000000
Access Mask: 0x00020080
0... .... .... .... .... .... .... .... = Generic Read:
Generic read is NOT set
.0.. .... .... .... .... .... .... .... = Generic Write:
Generic write is NOT set
..0. .... .... .... .... .... .... .... = Generic Execute:
Generic execute is NOT set
...0 .... .... .... .... .... .... .... = Generic All:
Generic all is NOT set
.... ..0. .... .... .... .... .... .... = Maximum Allowed:
Maximum allowed is NOT set
.... ...0 .... .... .... .... .... .... = System Security:
System security is NOT set
.... .... ...0 .... .... .... .... .... = Synchronize: Can
NOT wait on handle to synchronize on completion of I/O
.... .... .... 0... .... .... .... .... = Write Owner: Can
NOT write owner (take ownership)
.... .... .... .0.. .... .... .... .... = Write DAC: Owner
may NOT write to the DAC
.... .... .... ..1. .... .... .... .... = Read Control: READ
ACCESS to owner, group and ACL of the SID
.... .... .... ...0 .... .... .... .... = Delete: NO delete
access
.... .... .... .... .... ...0 .... .... = Write Attributes:
NO write attributes access
.... .... .... .... .... .... 1... .... = Read Attributes:
READ ATTRIBUTES access
.... .... .... .... .... .... .0.. .... = Delete Child: NO
delete child access
.... .... .... .... .... .... ..0. .... = Execute: NO
execute access
.... .... .... .... .... .... ...0 .... = Write EA: NO write
extended attributes access
.... .... .... .... .... .... .... 0... = Read EA: NO read
extended attributes access
.... .... .... .... .... .... .... .0.. = Append: NO append
access
.... .... .... .... .... .... .... ..0. = Write: NO write access
.... .... .... .... .... .... .... ...0 = Read: NO read access
Allocation Size: 0
File Attributes: 0x00000000
.... .... .... .... .0.. .... .... .... = Encrypted: This is
NOT an encrypted file
.... .... .... .... ..0. .... .... .... = Content Indexed:
This file MAY be indexed by the content indexing service
.... .... .... .... ...0 .... .... .... = Offline: This file
is NOT offline
.... .... .... .... .... 0... .... .... = Compressed: This
is NOT a compressed file
.... .... .... .... .... .0.. .... .... = Reparse Point:
This file does NOT have an associated reparse point
.... .... .... .... .... ..0. .... .... = Sparse: This is
NOT a sparse file
.... .... .... .... .... ...0 .... .... = Temporary: This is
NOT a temporary file
.... .... .... .... .... .... 0... .... = Normal: This file
has some attribute set
.... .... .... .... .... .... .0.. .... = Device: This is
NOT a device
.... .... .... .... .... .... ..0. .... = Archive: This file
has NOT been modified since last archive
.... .... .... .... .... .... ...0 .... = Directory: This is
NOT a directory
.... .... .... .... .... .... .... 0... = Volume ID: This is
NOT a volume ID
.... .... .... .... .... .... .... .0.. = System: This is
NOT a system file
.... .... .... .... .... .... .... ..0. = Hidden: This is
NOT a hidden file
.... .... .... .... .... .... .... ...0 = Read Only: This
file is NOT read only
Share Access: 0x00000007
.... .... .... .... .... .... .... .1.. = Delete: Object can
be shared for DELETE
.... .... .... .... .... .... .... ..1. = Write: Object can
be shared for WRITE
.... .... .... .... .... .... .... ...1 = Read: Object can
be shared for READ
Disposition: Open (if file exists open it, else fail) (1)
Create Options: 0x00200000
.... .... .... .... .... .... .... ...0 = Directory: File
being created/opened must not be a directory
.... .... .... .... .... .... .... ..0. = Write Through:
Writes need not flush buffered data before completing
.... .... .... .... .... .... .... .0.. = Sequential Only:
The file might not only be accessed sequentially
.... .... .... .... .... .... .... 0... = Intermediate
Buffering: Intermediate buffering is allowed
.... .... .... .... .... .... ...0 .... = Sync I/O Alert:
Operations NOT necessarily synchronous
.... .... .... .... .... .... ..0. .... = Sync I/O Nonalert:
Operations NOT necessarily synchronous
.... .... .... .... .... .... .0.. .... = Non-Directory:
File being created/opened must be a directory
.... .... .... .... .... .... 0... .... = Create Tree
Connection: Create Tree Connections is NOT set
.... .... .... .... .... ...0 .... .... = Complete If
Oplocked: Complete if oplocked is NOT set
.... .... .... .... .... ..0. .... .... = No EA Knowledge:
The client understands extended attributes
.... .... .... .... .... .0.. .... .... = 8.3 Only: The
client understands long file names
.... .... .... .... .... 0... .... .... = Random Access: The
file will not be accessed randomly
.... .... .... .... ...0 .... .... .... = Delete On Close:
The file should not be deleted when it is closed
.... .... .... .... ..0. .... .... .... = Open By FileID:
OpenByFileID is NOT set
.... .... .... .... .0.. .... .... .... = Backup Intent:
This is a normal create
.... .... .... .... 0... .... .... .... = No Compression:
Compression is allowed for Open/Create
.... .... ...0 .... .... .... .... .... = Reserve Opfilter:
Reserve Opfilter is NOT set
.... .... ..1. .... .... .... .... .... = Open Reparse
Point: Open a Reparse Point
.... .... .0.. .... .... .... .... .... = Open No Recall:
Open no recall is NOT set
.... .... 0... .... .... .... .... .... = Open For Free
Space query: This is NOT an open for free space query
Impersonation: Impersonation (2)
Security Flags: 0x00
.... ...0 = Context Tracking: Security tracking mode is STATIC
.... ..0. = Effective Only: ALL aspects of the client's
security context are available
Byte Count (BCC): 83
File Name: \Nasdrive5\shared\test\KleineGruppeDatei
No. Time Source Destination Protocol
Info
25 2.923559 192.168.1.3 192.168.1.4 SMB
NT Create AndX Response, FID: 0x1e20
Frame 25 (161 bytes on wire, 161 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.911202000
[Time delta from previous packet: 0.003880000 seconds]
[Time since reference or first frame: 2.923559000 seconds]
Frame Number: 25
Packet Length: 161 bytes
Capture Length: 161 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 147
Identification: 0x3967 (14695)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7d96 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 925, Ack: 1612, Len: 107
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 925 (relative sequence number)
[Next sequence number: 1032 (relative sequence number)]
Acknowledgement number: 1612 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0x5d2c [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 24]
[The RTT to ACK the segment was: 0.003880000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 103
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 24]
[Time from request: 0.003880000 seconds]
SMB Command: NT Create AndX (0xa2)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56385
NT Create AndX Response (0xa2)
Word Count (WCT): 34
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
Oplock level: No oplock granted (0)
FID: 0x1e20
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 25]
[Closed in: 30]
Create action: The file existed and was opened (1)
Created: Apr 12, 2007 16:25:34.000000000
Last Access: Apr 12, 2007 16:25:34.000000000
Last Write: Apr 12, 2007 16:25:34.000000000
Change: Apr 12, 2007 16:25:34.000000000
File Attributes: 0x00000020
.... .... .... .... .0.. .... .... .... = Encrypted: This is
NOT an encrypted file
.... .... .... .... ..0. .... .... .... = Content Indexed:
This file MAY be indexed by the content indexing service
.... .... .... .... ...0 .... .... .... = Offline: This file
is NOT offline
.... .... .... .... .... 0... .... .... = Compressed: This
is NOT a compressed file
.... .... .... .... .... .0.. .... .... = Reparse Point:
This file does NOT have an associated reparse point
.... .... .... .... .... ..0. .... .... = Sparse: This is
NOT a sparse file
.... .... .... .... .... ...0 .... .... = Temporary: This is
NOT a temporary file
.... .... .... .... .... .... 0... .... = Normal: This file
has some attribute set
.... .... .... .... .... .... .0.. .... = Device: This is
NOT a device
.... .... .... .... .... .... ..1. .... = Archive: This file
has been modified since last ARCHIVE
.... .... .... .... .... .... ...0 .... = Directory: This is
NOT a directory
.... .... .... .... .... .... .... 0... = Volume ID: This is
NOT a volume ID
.... .... .... .... .... .... .... .0.. = System: This is
NOT a system file
.... .... .... .... .... .... .... ..0. = Hidden: This is
NOT a hidden file
.... .... .... .... .... .... .... ...0 = Read Only: This
file is NOT read only
Allocation Size: 1048576
End Of File: 0
File Type: Disk file or directory (0)
IPC State: 0x0007
0... .... .... .... = Nonblocking: Reads/writes block if no
data available
.0.. .... .... .... = Endpoint: Consumer end of pipe (0)
.... 00.. .... .... = Pipe Type: Byte stream pipe (0)
.... ..00 .... .... = Read Mode: Read pipe as a byte stream (0)
.... .... 0000 0111 = Icount: 7
Is Directory: This is NOT a directory (0)
Byte Count (BCC): 0
No. Time Source Destination Protocol
Info
26 2.923941 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT QUERY SECURITY DESC, FID: 0x1e20
Frame 26 (142 bytes on wire, 142 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.911584000
[Time delta from previous packet: 0.000382000 seconds]
[Time since reference or first frame: 2.923941000 seconds]
Frame Number: 26
Packet Length: 142 bytes
Capture Length: 142 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 128
Identification: 0x92c8 (37576)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe457 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1612, Ack: 1032, Len: 88
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1612 (relative sequence number)
[Next sequence number: 1700 (relative sequence number)]
Acknowledgement number: 1032 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 17520
Checksum: 0x2972 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 25]
[The RTT to ACK the segment was: 0.000382000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 84
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 27]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56449
NT Trans Request (0xa0)
Word Count (WCT): 19
Max Setup Count: 0
Reserved: 0000
Total Parameter Count: 8
Total Data Count: 0
Max Parameter Count: 4
Max Data Count: 0
Parameter Count: 8
Parameter Offset: 76
Data Count: 0
Data Offset: 0
Setup Count: 0
Function: NT QUERY SECURITY DESC (6)
Byte Count (BCC): 11
Padding: 000000
NT QUERY SECURITY DESC Parameters
FID: 0x1e20
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 25]
[Closed in: 30]
Reserved: 0000
Security Information: 0x00000004
.... .... .... .... .... .... .... ...0 = Owner: NOT
requesting owner security information
.... .... .... .... .... .... .... ..0. = Group: NOT
requesting group security information
.... .... .... .... .... .... .... .1.. = DACL:
Requesting DACL security information
.... .... .... .... .... .... .... 0... = SACL: NOT
requesting SACL security information
No. Time Source Destination Protocol
Info
27 2.927879 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT QUERY SECURITY DESC, Error: STATUS_BUFFER_TOO_SMALL
Frame 27 (136 bytes on wire, 136 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.915522000
[Time delta from previous packet: 0.003938000 seconds]
[Time since reference or first frame: 2.927879000 seconds]
Frame Number: 27
Packet Length: 136 bytes
Capture Length: 136 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 122
Identification: 0x3968 (14696)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7dae [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 1032, Ack: 1700, Len: 82
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 1032 (relative sequence number)
[Next sequence number: 1114 (relative sequence number)]
Acknowledgement number: 1700 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0xe24d [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 26]
[The RTT to ACK the segment was: 0.003938000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 78
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 26]
[Time from request: 0.003938000 seconds]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_BUFFER_TOO_SMALL (0xc0000023)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc841
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .1.. .... = Long Names Used: Path names in request
are long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56449
NT Trans Response (0xa0)
Function: NT QUERY SECURITY DESC (6)
Word Count (WCT): 18
Reserved: 000000
Total Parameter Count: 4
Total Data Count: 0
Parameter Count: 4
Parameter Offset: 74
Parameter Displacement: 0
Data Count: 0
Data Offset: 0
Data Displacement: 0
Setup Count: 0
Byte Count (BCC): 7
Padding: 000000
NT QUERY SECURITY DESC Parameters
NT Security Descriptor Length: 156
No. Time Source Destination Protocol
Info
28 2.928246 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT QUERY SECURITY DESC, FID: 0x1e20
Frame 28 (142 bytes on wire, 142 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.915889000
[Time delta from previous packet: 0.000367000 seconds]
[Time since reference or first frame: 2.928246000 seconds]
Frame Number: 28
Packet Length: 142 bytes
Capture Length: 142 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 128
Identification: 0x92c9 (37577)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe456 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1700, Ack: 1114, Len: 88
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1700 (relative sequence number)
[Next sequence number: 1788 (relative sequence number)]
Acknowledgement number: 1114 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 17438
Checksum: 0x4d19 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 27]
[The RTT to ACK the segment was: 0.000367000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 84
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 29]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56513
NT Trans Request (0xa0)
Word Count (WCT): 19
Max Setup Count: 0
Reserved: 0000
Total Parameter Count: 8
Total Data Count: 0
Max Parameter Count: 4
Max Data Count: 156
Parameter Count: 8
Parameter Offset: 76
Data Count: 0
Data Offset: 0
Setup Count: 0
Function: NT QUERY SECURITY DESC (6)
Byte Count (BCC): 11
Padding: 000000
NT QUERY SECURITY DESC Parameters
FID: 0x1e20
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 25]
[Closed in: 30]
Reserved: 0000
Security Information: 0x00000004
.... .... .... .... .... .... .... ...0 = Owner: NOT
requesting owner security information
.... .... .... .... .... .... .... ..0. = Group: NOT
requesting group security information
.... .... .... .... .... .... .... .1.. = DACL:
Requesting DACL security information
.... .... .... .... .... .... .... 0... = SACL: NOT
requesting SACL security information
No. Time Source Destination Protocol
Info
29 2.932058 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT QUERY SECURITY DESC
Frame 29 (292 bytes on wire, 292 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.919701000
[Time delta from previous packet: 0.003812000 seconds]
[Time since reference or first frame: 2.932058000 seconds]
Frame Number: 29
Packet Length: 292 bytes
Capture Length: 292 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 278
Identification: 0x3969 (14697)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7d11 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 1114, Ack: 1788, Len: 238
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 1114 (relative sequence number)
[Next sequence number: 1352 (relative sequence number)]
Acknowledgement number: 1788 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0x8f4a [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 28]
[The RTT to ACK the segment was: 0.003812000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 234
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 28]
[Time from request: 0.003812000 seconds]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc841
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .1.. .... = Long Names Used: Path names in request
are long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56513
NT Trans Response (0xa0)
Function: NT QUERY SECURITY DESC (6)
Word Count (WCT): 18
Reserved: 000000
Total Parameter Count: 4
Total Data Count: 156
Parameter Count: 4
Parameter Offset: 74
Parameter Displacement: 0
Data Count: 156
Data Offset: 78
Data Displacement: 0
Setup Count: 0
Byte Count (BCC): 163
Padding: 000000
NT QUERY SECURITY DESC Parameters
NT Security Descriptor Length: 156
NT QUERY SECURITY DESC Data
NT Security Descriptor
Revision: 1
Type: 0x9004
1... .... .... .... = Self Relative: This SecDesc is
SELF RELATIVE
.0.. .... .... .... = RM Control Valid: Rm control
valid is FALSE
..0. .... .... .... = SACL Protected: The SACL is
NOT protected
...1 .... .... .... = DACL Protected: The DACL is
PROTECTED
.... 0... .... .... = SACL Auto Inherited: SACL is
NOT auto inherited
.... .0.. .... .... = DACL Auto Inherited: DACL is
NOT auto inherited
.... ..0. .... .... = SACL Auto Inherit Required:
SACL does NOT require auto inherit
.... ...0 .... .... = DACL Auto Inherit Required:
DACL does NOT require auto inherit
.... .... 0... .... = Server Security: Server
security is FALSE
.... .... .0.. .... = DACL Trusted: Dacl trusted is
FALSE
.... .... ..0. .... = SACL Defaulted: SACL is NOT
defaulted
.... .... ...0 .... = SACL Present: SACL is NOT present
.... .... .... 0... = DACL Defaulted: DACL is NOT
defaulted
.... .... .... .1.. = DACL Present: DACL is PRESENT
.... .... .... ..0. = Group Defaulted: Group is NOT
defaulted
.... .... .... ...0 = Owner Defaulted: Owner is NOT
defaulted
Offset to owner SID: 0
Offset to group SID: 0
Offset to SACL: 0
Offset to DACL: 20
NT User (DACL) ACL
Revision: NT4 (2)
Size: 136
Num ACEs: 4
NT ACE: S-1-5-21-1214440339-113007714-839522115-500,
flags 0x00, Access Allowed, mask 0x001f01ff
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x001f01ff
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x001f0000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 1... .... .... .... ....
= Write owner: Set
.... .... .... .1.. .... .... .... ....
= Write DAC: Set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...1 .... .... .... ....
= Delete: Set
FILE specific rights: 0x000001ff
[FULL CONTROL]
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..1. ....
= Execute: Set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-500
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 500 (Administrator)
NT ACE:
S-1-5-21-1214440339-113007714-839522115-25226, flags 0x00, Access
Allowed, mask 0x001200a9
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x001200a9
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x000000a9
.... .... .... .... .... ...0 .... ....
= Write Attribute: Not set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..1. ....
= Execute: Set
.... .... .... .... .... .... ...0 ....
= Write EA: Not set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .0..
= Append Data: Not set
.... .... .... .... .... .... .... ..0.
= Write Data: Not set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-25226
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 25226
NT ACE: S-1-5-21-1214440339-113007714-839522115-513,
flags 0x00, Access Allowed, mask 0x0012019f
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x0012019f
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x0000019f
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..0. ....
= Execute: Not set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-513
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 513 (Domain Users)
NT ACE: S-1-1-0, flags 0x00, Access Allowed, mask
0x0012019f
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 20
Access required: 0x0012019f
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x0000019f
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..0. ....
= Execute: Not set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-1-0
Revision: 1
Num Auth: 1
Authority: 1
Sub-authorities: 0
No. Time Source Destination Protocol
Info
30 2.932521 192.168.1.4 192.168.1.3 SMB
Close Request, FID: 0x1e20
Frame 30 (99 bytes on wire, 99 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.920164000
[Time delta from previous packet: 0.000463000 seconds]
[Time since reference or first frame: 2.932521000 seconds]
Frame Number: 30
Packet Length: 99 bytes
Capture Length: 99 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 85
Identification: 0x92ca (37578)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe480 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1788, Ack: 1352, Len: 45
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1788 (relative sequence number)
[Next sequence number: 1833 (relative sequence number)]
Acknowledgement number: 1352 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 17200
Checksum: 0x7f2d [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 29]
[The RTT to ACK the segment was: 0.000463000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 41
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 31]
SMB Command: Close (0x04)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 65279
User ID: 101
Multiplex ID: 56577
Close Request (0x04)
Word Count (WCT): 3
FID: 0x1e20
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 25]
[Closed in: 30]
Last Write: No time specified (0xffffffff)
Byte Count (BCC): 0
No. Time Source Destination Protocol
Info
31 2.936432 192.168.1.3 192.168.1.4 SMB
Close Response
Frame 31 (93 bytes on wire, 93 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.924075000
[Time delta from previous packet: 0.003911000 seconds]
[Time since reference or first frame: 2.936432000 seconds]
Frame Number: 31
Packet Length: 93 bytes
Capture Length: 93 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 79
Identification: 0x396a (14698)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7dd7 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 1352, Ack: 1833, Len: 39
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 1352 (relative sequence number)
[Next sequence number: 1391 (relative sequence number)]
Acknowledgement number: 1833 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0xc110 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 30]
[The RTT to ACK the segment was: 0.003911000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 35
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 30]
[Time from request: 0.003911000 seconds]
SMB Command: Close (0x04)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 65279
User ID: 101
Multiplex ID: 56577
Close Response (0x04)
Word Count (WCT): 0
Byte Count (BCC): 0
More information about the samba
mailing list