[SMB] NTCreateANDX quesiotn
ronnie sahlberg
ronniesahlberg at gmail.com
Wed Jun 13 08:31:02 GMT 2007
What exactly do you want to do? Just list all SMB packets and which
user / share issued it?
If so why dont you just use wireshark/tshark that will track all this
state for you.
Example: make tshark print both the user account that logged onto
this UID and also show the share name that was mapped to the TID
./tshark -n -r /mnt/winreg/winreg.cap.gz -R "smb" -z
proto,colinfo,smb.account,smb.account -z
proto,colinfo,smb.path,smb.path
You want to produce a service response time table for SMB but only for
the commands that are issued by "administrator" ?
./tshark -n -r /mnt/winreg/winreg.cap.gz -R "not frame" -z
smb,rtt,smb.account==administrator
man tshark
On 6/11/07, yang mikey <mikeyredmoon at gmail.com> wrote:
> hi,Mike
>
> yeah, I did not noticed it before just use the value on windows XP sp2 and
> 2003, because
> the BYTE COUNT in wroing place is zero, but when I tested in windows 2000, I
> found there is a
> unormal large number in there, if I read it, the memory shall crashed.
>
> in fact, I am doing a little tool to monitor the share folder change via
> parsing CIFS protocol.
> I dont know why MS change the SMB protocle so much by adding some
> NTxxxANDXs, I
> feel to so hard to know what user done, For example, because of COMMAND_COPY
> is obsolete,
> I can't judge the COPY operation, copy source , copy target, I just see a
> file is opened by 0xA2
> and read by 0x2E, and a new file is created(also 0xA2), are there any
> document to describe the
> procedure? thanks.
> Mikey
>
>
>
> 2007/6/11, Michael B Allen <mba2000 at ioplex.com>:
> >
> > Ahh, I see what you're talking about. In the response. The WordCount is
> > way too large. It should be more like 34 and not 42. Funny, I've written
> > multiple CIFS clients and never noticed.
> >
> > Mike
> >
> > On Mon, 11 Jun 2007 12:09:38 +0900
> > "yang mikey" <mikeyredmoon at gmail.com> wrote:
> >
> > > hi, Allen
> > > Thanks your reply and time.
> > > I am sorry that can not send any packet file to you, because you know, I
> > am
> > > in company.
> > > But this packet is not any special I think. just a very common
> > NTCreateAndX
> > > packet(smb.command == 0xA2), if
> > > you login into a server with share folder and make some file operations
> > such
> > > as delete or create
> > > a new file, you shall see the packet in etheral.
> > > Mikey
> > >
> > >
> > > 2007/6/9, Michael B Allen <mba2000 at ioplex.com>:
> > > >
> > > > Mikey,
> > > >
> > > > Is it ok to send me your capture file?
> > > >
> > > > I'm always interested in seeing mutant packets.
> > > >
> > > > Mike
> > > >
> > > > On Fri, 8 Jun 2007 11:11:21 +0900
> > > > "yang mikey" <mikeyredmoon at gmail.com> wrote:
> > > >
> > > > > hi, everybody
> > > > > I found a interesting thing,
> > > > >
> > > > > when I see the header of NTCreateANCX[0xA2] via Ethereal
> > > > > I found the value of WORD COUNT is 42, but the position of BYTE
> > COUNT is
> > > > not
> > > > > at
> > > > > (offset of WORD COUNT) + (value of WORD COUNT) *2.
> > > > >
> > > > > Why it happened, and How Ethereal knows the correct position of
> > BYTE
> > > > COUNT.
> > > > >
> > > > > thanks a lot
> > > > > Mikey
> > > > >
> > > >
> > > >
> > > > --
> > > > Michael B Allen
> > > > PHP Active Directory Kerberos SSO
> > > > http://www.ioplex.com/
> > > >
> > >
> >
> >
> > --
> > Michael B Allen
> > PHP Active Directory Kerberos SSO
> > http://www.ioplex.com/
> >
>
More information about the samba-technical
mailing list