Discussion:
Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)
(too old to reply)
Jens Nissen
2007-04-12 23:01:29 UTC
Permalink
I cannot set rights on a arbitrary file or folder for the Windows
predefined group "Authenticated Users" (which has SID S-1-5-11) via
SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.

Everything else works:
- I can set rights for any other domain group.
- I can read the ACL entry for "Authenticated Users" in the Windows 2000
File Attribute Dialog if I set it manually with setfacl before
- I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
existence of this predefined group.

What am I doing wrong? Is this supposed to work?
Is there a workaround or any other suitable mapping for this group?

In the "Unofficial Samba + ACL Howto", there is a reference (chapter
3.1.4) that this might not work, but that was back in 2003 and 4 years
have passed since then.

Kind regards for any hint,

Jens

P.S: smb.conf output from testparm, nt acl support = Yes is also set
(testparm does not show it)

[global]
dos charset = ISO-8859-1
unix charset = ISO-8859-1
display charset = ISO-8859-1
workgroup = XXX
realm = XXX.TEST
security = ADS
password server = xxx.xxx.test
passdb backend = tdbsam
guest account = samba
name resolve order = host wins bcast
idmap uid = 1000-60000
idmap gid = 1000-60000
winbind enum users = Yes
winbind enum groups = Yes
winbind nss info = rfc2307
ldapsam:trusted = Yes
admin users = XXX\\Administrator
ea support = Yes
map acl inherit = Yes
hide dot files = No
map hidden = Yes
map readonly = permissions
dos filemode = Yes

[homes]
comment = Home Directories
read only = No
browseable = No
preexec = mkdir -m 700 %P

[shared]
comment = ACL shared folder
path = /export/shared
read only = No
create mask = 0777
directory mask = 0777
Jeremy Allison
2007-04-12 23:08:32 UTC
Permalink
Post by Jens Nissen
I cannot set rights on a arbitrary file or folder for the Windows
predefined group "Authenticated Users" (which has SID S-1-5-11) via
SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.
- I can set rights for any other domain group.
- I can read the ACL entry for "Authenticated Users" in the Windows 2000
File Attribute Dialog if I set it manually with setfacl before
- I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
existence of this predefined group.
What am I doing wrong? Is this supposed to work?
Is there a workaround or any other suitable mapping for this group?
In the "Unofficial Samba + ACL Howto", there is a reference (chapter
3.1.4) that this might not work, but that was back in 2003 and 4 years
have passed since then.
What fails ? Selecting the user in the GUI ? More info on
exactly what isn't working would be good.

Jeremy.
Jens Nissen
2007-04-13 17:00:19 UTC
Permalink
Very embarassing indeed :-()

What I do: Put the "Authenticated Users" to the list of users already
having access. I then assign some rights (let's say Read and Write) and
then I press OK.
What I see: After reopening the GUI (or pressing Update), the entry has
simply vanished. Checking with getfacl shows, that "Authenticated Users"
have received no ACL entry.

What is even stranger: I set the permissions for "Authenticated Users"
with setfacl and edit a completely different domain user ACL entry and
press OK again.
What I see: The ACL entry for "Authenticated Users" has gone. The ACL
entry for the domain user is perfectly oK. Again, I checked with getfacl
that what the GUI shows indeed is correct.

I'm using security=ADS - may this have an impact?

Jens
Post by Jeremy Allison
Post by Jens Nissen
I cannot set rights on a arbitrary file or folder for the Windows
predefined group "Authenticated Users" (which has SID S-1-5-11) via
SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.
- I can set rights for any other domain group.
- I can read the ACL entry for "Authenticated Users" in the Windows 2000
File Attribute Dialog if I set it manually with setfacl before
- I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
existence of this predefined group.
What am I doing wrong? Is this supposed to work?
Is there a workaround or any other suitable mapping for this group?
In the "Unofficial Samba + ACL Howto", there is a reference (chapter
3.1.4) that this might not work, but that was back in 2003 and 4 years
have passed since then.
What fails ? Selecting the user in the GUI ? More info on
exactly what isn't working would be good.
Jeremy.
Jens Nissen
2007-04-17 14:13:31 UTC
Permalink
Reading the code, I located the bug in
smbd/posix_acls.c:create_canon_ace_lists, but I do need advice of
someone who knows what is going on and what to do.

The source code says:

///////////////////////////////////////////
/*
* Ignore non-mappable SIDs (NT Authority, BUILTIN etc).
*/

if (non_mappable_sid(&psa->trustee)) {
fstring str;
DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
sid_to_string(str, &psa->trustee) ));
continue;
}
///////////////////////////////////////////

SID S-1-5-11 ("Authenticated Users") is part of the NT Authority.
Why should this SID be "non-mappable"?
Windows Servers do allow setting this SID so I expect Samba Servers to
do simply the same as the Windows Servers!

Can I simply comment the lines out? What will happen afterwards?
a) Does Samba correctly behave in case this SID is set? Will it allow
reading the ACL in call cases? (It looks as if Samba displays it
correctly, tested with setfacl on a small file)

b) Does Samba correctly interpret the rights if they are set?
"Authenticated Users" are simply defined as
/////////////// Quote from
http://technet2.microsoft.com/WindowsServer/en/library/86cf2457-4f17-43f8-a2ab-7f4e2e5659091033.mspx?mfr=true
///////////////
"Includes all users and computers whose identities have been
authenticated. Authenticated Users does not include Guest even if the
Guest account has a password."
///////////////
///////////////
So Samba should know what to do.

c) Does it make sense to file a bug in bugzilla?

Jens
Gerald (Jerry) Carter
2007-04-17 21:22:00 UTC
Permalink
Post by Jens Nissen
SID S-1-5-11 ("Authenticated Users") is part of the NT Authority.
Why should this SID be "non-mappable"?
It's not mappable to a gid.
Post by Jens Nissen
Can I simply comment the lines out? What will
happen afterwards?
Nope. All SIDs have to be converted to a gid.


cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
Jens Nissen
2007-04-18 21:27:16 UTC
Permalink
Post by Gerald (Jerry) Carter
Post by Jens Nissen
SID S-1-5-11 ("Authenticated Users") is part of the NT Authority.
Why should this SID be "non-mappable"?
It's not mappable to a gid.
Post by Jens Nissen
Can I simply comment the lines out? What will
happen afterwards?
Nope. All SIDs have to be converted to a gid.
Thanks, Jerry.

But I have 4 comments (+1 extra):

1) wbinfo -Y S-1-5-11 -> 1018, which means, S-1-5-11 is mapped to GID
1018, contradicting that S-1-5-11 is not mapped.

2) If I set (with setfacl) proper rights to a folder for this group 1018
and I set "inherit permissions" for the whole share, Samba nicely copies
the corresponding rights into any subfolder I create with Samba and
Windows Explorer. So "Authenticated Users" becomes visible to Windows
Clients on a Samba share.

3) Group S-1-5-11 does not make sense to Samba, but Windows can use it.
Why is there a difference? Why can't Samba emulate Windows here?

4) Even if Samba can't make sense of S-1-5-11, others can.
Think of the following scenario:
Server A from domain A-Domain supplies Updates to Samba Server S (e.g.
by using xcopy).
Server B (which is a PDC in B-Domain) pulls this update from S (again by
using xcopy)
Clients X (from B-Domain) access the file on Server B.
If the chain A->S->B maintains the proper rights for S-1-5-11, then X
can access it, provided it can authenticate with B.

This last scenario is what our customers would like to do and what they
already do using a Windows Server in place S (which I would like to
replace with a wonderful Unix server)
Do you see any reasonable way to achieve this or something similar?

Kind regards,

Jens (/* very humble (I admit I do not see all the consequences using
S-1-5-11 has) */)

P.S: IMHO, deleting ACLs which Samba cannot map, probably is a bug.
Think of a file, which is shared between two different domains, e.g.,
two different Samba processes. If one process deletes EXISTING ACLs of
the other process simply because it cannot map them, this can be
extremely annoying.
(((((
Something like that:
Samba Process (configuration) A -> GIDs from 1000-1999
Samba Process (configuration) B -> GIDs from 2000-2999
File X has ACL user:1500:RW- (via Samba Process A)
Now a user of process (domain) B adds ACL user:2500:RWX to file X.
Does Samba Process B automatically delete user:1500:RW- thus making the
file unaccessible from A???
IMO, it should not be allowed to do this!
BTW: The processes don't run concurrently at the same time, B is a kind
of fallback domain in case the domain server from A fails.
)))))

Thanks for your patience!!!!
Gerald (Jerry) Carter
2007-04-27 18:50:00 UTC
Permalink
Post by Jens Nissen
1) wbinfo -Y S-1-5-11 -> 1018, which means, S-1-5-11 is mapped
to GID 1018, contradicting that S-1-5-11 is not mapped.
Yeah. Jeremy and I discussed this earlier this week. The
short version of the discussion is that the original ACL
code dropped BUILT and WellKnown groups from the ACL
even if they were mapped to a gid. This is fixed in 3.0.25rc3.







cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
Jens Nissen
2007-04-30 21:09:48 UTC
Permalink
Thanks Jeremy for the ACL-fix (svn-Revision 22481).
It points out the way to go, even though I think, you had a bad day:
IMHO, There are two bugs:

(a) A minor bug in your util_sid.c - change.
The additional test

if (sid_equal(sid, &global_sid_System))
return True;

is superfluous, as the global_sid_System is part of NT-Authority which
is lateron tested with

if (sid_equal(&dom, &global_sid_NT_Authority))
return True;

I recommend reverting util_sic.c to revision 22480.

(b) A severe bug in your change to posix_acls.c

You have moved the test for non-mappable SIDs from a point BEFORE
SMB_MALLOC_P to a point beyond the call "current_ace = SMB_MALLOC_P(---)".

Thus your fix leaks memory of size "canon_ace" each time a non-mappable
SID is called.

The correct code in create_canon_ace_lists should look like this:

/*
* Silently ignore map failures in non-mappable SIDs (NT
Authority, BUILTIN etc).
*/

if (non_mappable_sid(&psa->trustee)) {
DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
sid_to_string(str, &psa->trustee) ));
SAFE_FREE(current_ace);
continue;
}


I hope, I didn't miss a point in my analysis.

Kind regards,

Jens Nissen
Post by Jeremy Allison
Post by Jens Nissen
I cannot set rights on a arbitrary file or folder for the Windows
predefined group "Authenticated Users" (which has SID S-1-5-11) via
SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.
- I can set rights for any other domain group.
- I can read the ACL entry for "Authenticated Users" in the Windows 2000
File Attribute Dialog if I set it manually with setfacl before
- I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
existence of this predefined group.
What am I doing wrong? Is this supposed to work?
Is there a workaround or any other suitable mapping for this group?
In the "Unofficial Samba + ACL Howto", there is a reference (chapter
3.1.4) that this might not work, but that was back in 2003 and 4 years
have passed since then.
What fails ? Selecting the user in the GUI ? More info on
exactly what isn't working would be good.
Jeremy.
Jeremy Allison
2007-04-30 21:17:08 UTC
Permalink
Post by Jens Nissen
Thanks Jeremy for the ACL-fix (svn-Revision 22481).
(a) A minor bug in your util_sid.c - change.
The additional test
if (sid_equal(sid, &global_sid_System))
return True;
is superfluous, as the global_sid_System is part of NT-Authority which
is lateron tested with
if (sid_equal(&dom, &global_sid_NT_Authority))
return True;
I recommend reverting util_sic.c to revision 22480.
Ok, I'll check this out.
Post by Jens Nissen
(b) A severe bug in your change to posix_acls.c
You have moved the test for non-mappable SIDs from a point BEFORE
SMB_MALLOC_P to a point beyond the call "current_ace = SMB_MALLOC_P(---)".
Thus your fix leaks memory of size "canon_ace" each time a non-mappable
SID is called.
/*
* Silently ignore map failures in non-mappable SIDs (NT
Authority, BUILTIN etc).
*/
if (non_mappable_sid(&psa->trustee)) {
DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
sid_to_string(str, &psa->trustee) ));
SAFE_FREE(current_ace);
continue;
}
I hope, I didn't miss a point in my analysis.
Nope - looks good. What you missed is that there
are other areas in this loop that return without
freeing current_ace, so your fix is good but not
quite general enough :-).

I'll add the extra SAFE_FREE's needed :-).

Thanks !

Jeremy.
Jeremy Allison
2007-04-30 21:19:55 UTC
Permalink
Post by Jeremy Allison
Nope - looks good. What you missed is that there
are other areas in this loop that return without
freeing current_ace, so your fix is good but not
quite general enough :-).
I'll add the extra SAFE_FREE's needed :-).
I'm definately having a bad day :-). There
are no extra SAFE_FREE's needed as we've
added current_ace to the linked list....

Doh ! :-).

Your fix is perfectly correct, thanks !

Jeremy.
Jens Nissen
2007-05-04 04:39:05 UTC
Permalink
Post by Jeremy Allison
Post by Jens Nissen
I cannot set rights on a arbitrary file or folder for the Windows
predefined group "Authenticated Users" (which has SID S-1-5-11) via
SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.
- I can set rights for any other domain group.
- I can read the ACL entry for "Authenticated Users" in the Windows 2000
File Attribute Dialog if I set it manually with setfacl before
- I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
existence of this predefined group.
What am I doing wrong? Is this supposed to work?
Is there a workaround or any other suitable mapping for this group?
In the "Unofficial Samba + ACL Howto", there is a reference (chapter
3.1.4) that this might not work, but that was back in 2003 and 4 years
have passed since then.
What fails ? Selecting the user in the GUI ? More info on
exactly what isn't working would be good.
Jeremy.
I would like to add an ethereal capture of what I think is a bug in
Samba 3.0.23d:

In packet 20, the group with SID is 1-5-11 is sent (along with other
SIDs) to the Samba Server.
In packet 21, the Samba Server acknowledges the packet positively.
In packet 28, Windows 2000 asks for the NT-ACLs again
In packet 29, it becomes obvious, that Samba forgot to set the ACL for
SID S-1-5-11

I think, this is a bug - or am I missing something essential?
The same operation works with a Windows 2000 Server, so Samba is
definitely different here than the Windows Server it tries to replace.

--------------------------------------
Capture Overview:
--------------------------------------

No. Time Source Destination Protocol
Info
16 2.901596 192.168.1.4 192.168.1.3 SMB
NT Create AndX Request, Path: \Nasdrive5\shared\test\KleineGruppeDatei
17 2.905511 192.168.1.3 192.168.1.4 SMB
NT Create AndX Response, FID: 0x1e1f
18 2.905927 192.168.1.4 192.168.1.3 SMB
Trans2 Request, QUERY_FILE_INFO, FID: 0x1e1f, Query File Basic Info
19 2.908848 192.168.1.3 192.168.1.4 SMB
Trans2 Response, QUERY_FILE_INFO
20 2.909376 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT SET SECURITY DESC, FID: 0x1e1f
21 2.914634 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT SET SECURITY DESC
22 2.915064 192.168.1.4 192.168.1.3 SMB
Close Request, FID: 0x1e1f
23 2.918907 192.168.1.3 192.168.1.4 SMB
Close Response
24 2.919679 192.168.1.4 192.168.1.3 SMB
NT Create AndX Request, Path: \Nasdrive5\shared\test\KleineGruppeDatei
25 2.923559 192.168.1.3 192.168.1.4 SMB
NT Create AndX Response, FID: 0x1e20
26 2.923941 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT QUERY SECURITY DESC, FID: 0x1e20
27 2.927879 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT QUERY SECURITY DESC, Error: STATUS_BUFFER_TOO_SMALL
28 2.928246 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT QUERY SECURITY DESC, FID: 0x1e20
29 2.932058 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT QUERY SECURITY DESC
30 2.932521 192.168.1.4 192.168.1.3 SMB
Close Request, FID: 0x1e20
31 2.936432 192.168.1.3 192.168.1.4 SMB
Close Response

--------------------------------------
Capture Details:
--------------------------------------

No. Time Source Destination Protocol
Info
16 2.901596 192.168.1.4 192.168.1.3 SMB
NT Create AndX Request, Path: \Nasdrive5\shared\test\KleineGruppeDatei

Frame 16 (224 bytes on wire, 224 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.889239000
[Time delta from previous packet: 0.000409000 seconds]
[Time since reference or first frame: 2.901596000 seconds]
Frame Number: 16
Packet Length: 224 bytes
Capture Length: 224 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 210
Identification: 0x92c3 (37571)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe40a [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 843, Ack: 600, Len: 170
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 843 (relative sequence number)
[Next sequence number: 1013 (relative sequence number)]
Acknowledgement number: 600 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16393
Checksum: 0x34d5 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 15]
[The RTT to ACK the segment was: 0.000409000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 166
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 17]
SMB Command: NT Create AndX (0xa2)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56129
NT Create AndX Request (0xa2)
Word Count (WCT): 24
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 57054
Reserved: 00
File Name Len: 80
Create Flags: 0x00000010
.... .... .... .... .... .... ...1 .... = Extended Response:
Extended responses required
.... .... .... .... .... .... .... 0... = Create Directory:
Target of open can be a file
.... .... .... .... .... .... .... .0.. = Batch Oplock: Does
NOT request batch oplock
.... .... .... .... .... .... .... ..0. = Exclusive Oplock:
Does NOT request oplock
Root FID: 0x00000000
Access Mask: 0x00060080
0... .... .... .... .... .... .... .... = Generic Read:
Generic read is NOT set
.0.. .... .... .... .... .... .... .... = Generic Write:
Generic write is NOT set
..0. .... .... .... .... .... .... .... = Generic Execute:
Generic execute is NOT set
...0 .... .... .... .... .... .... .... = Generic All:
Generic all is NOT set
.... ..0. .... .... .... .... .... .... = Maximum Allowed:
Maximum allowed is NOT set
.... ...0 .... .... .... .... .... .... = System Security:
System security is NOT set
.... .... ...0 .... .... .... .... .... = Synchronize: Can
NOT wait on handle to synchronize on completion of I/O
.... .... .... 0... .... .... .... .... = Write Owner: Can
NOT write owner (take ownership)
.... .... .... .1.. .... .... .... .... = Write DAC: OWNER
may WRITE the DAC
.... .... .... ..1. .... .... .... .... = Read Control: READ
ACCESS to owner, group and ACL of the SID
.... .... .... ...0 .... .... .... .... = Delete: NO delete
access
.... .... .... .... .... ...0 .... .... = Write Attributes:
NO write attributes access
.... .... .... .... .... .... 1... .... = Read Attributes:
READ ATTRIBUTES access
.... .... .... .... .... .... .0.. .... = Delete Child: NO
delete child access
.... .... .... .... .... .... ..0. .... = Execute: NO
execute access
.... .... .... .... .... .... ...0 .... = Write EA: NO write
extended attributes access
.... .... .... .... .... .... .... 0... = Read EA: NO read
extended attributes access
.... .... .... .... .... .... .... .0.. = Append: NO append
access
.... .... .... .... .... .... .... ..0. = Write: NO write access
.... .... .... .... .... .... .... ...0 = Read: NO read access
Allocation Size: 0
File Attributes: 0x00000000
.... .... .... .... .0.. .... .... .... = Encrypted: This is
NOT an encrypted file
.... .... .... .... ..0. .... .... .... = Content Indexed:
This file MAY be indexed by the content indexing service
.... .... .... .... ...0 .... .... .... = Offline: This file
is NOT offline
.... .... .... .... .... 0... .... .... = Compressed: This
is NOT a compressed file
.... .... .... .... .... .0.. .... .... = Reparse Point:
This file does NOT have an associated reparse point
.... .... .... .... .... ..0. .... .... = Sparse: This is
NOT a sparse file
.... .... .... .... .... ...0 .... .... = Temporary: This is
NOT a temporary file
.... .... .... .... .... .... 0... .... = Normal: This file
has some attribute set
.... .... .... .... .... .... .0.. .... = Device: This is
NOT a device
.... .... .... .... .... .... ..0. .... = Archive: This file
has NOT been modified since last archive
.... .... .... .... .... .... ...0 .... = Directory: This is
NOT a directory
.... .... .... .... .... .... .... 0... = Volume ID: This is
NOT a volume ID
.... .... .... .... .... .... .... .0.. = System: This is
NOT a system file
.... .... .... .... .... .... .... ..0. = Hidden: This is
NOT a hidden file
.... .... .... .... .... .... .... ...0 = Read Only: This
file is NOT read only
Share Access: 0x00000007
.... .... .... .... .... .... .... .1.. = Delete: Object can
be shared for DELETE
.... .... .... .... .... .... .... ..1. = Write: Object can
be shared for WRITE
.... .... .... .... .... .... .... ...1 = Read: Object can
be shared for READ
Disposition: Open (if file exists open it, else fail) (1)
Create Options: 0x00200000
.... .... .... .... .... .... .... ...0 = Directory: File
being created/opened must not be a directory
.... .... .... .... .... .... .... ..0. = Write Through:
Writes need not flush buffered data before completing
.... .... .... .... .... .... .... .0.. = Sequential Only:
The file might not only be accessed sequentially
.... .... .... .... .... .... .... 0... = Intermediate
Buffering: Intermediate buffering is allowed
.... .... .... .... .... .... ...0 .... = Sync I/O Alert:
Operations NOT necessarily synchronous
.... .... .... .... .... .... ..0. .... = Sync I/O Nonalert:
Operations NOT necessarily synchronous
.... .... .... .... .... .... .0.. .... = Non-Directory:
File being created/opened must be a directory
.... .... .... .... .... .... 0... .... = Create Tree
Connection: Create Tree Connections is NOT set
.... .... .... .... .... ...0 .... .... = Complete If
Oplocked: Complete if oplocked is NOT set
.... .... .... .... .... ..0. .... .... = No EA Knowledge:
The client understands extended attributes
.... .... .... .... .... .0.. .... .... = 8.3 Only: The
client understands long file names
.... .... .... .... .... 0... .... .... = Random Access: The
file will not be accessed randomly
.... .... .... .... ...0 .... .... .... = Delete On Close:
The file should not be deleted when it is closed
.... .... .... .... ..0. .... .... .... = Open By FileID:
OpenByFileID is NOT set
.... .... .... .... .0.. .... .... .... = Backup Intent:
This is a normal create
.... .... .... .... 0... .... .... .... = No Compression:
Compression is allowed for Open/Create
.... .... ...0 .... .... .... .... .... = Reserve Opfilter:
Reserve Opfilter is NOT set
.... .... ..1. .... .... .... .... .... = Open Reparse
Point: Open a Reparse Point
.... .... .0.. .... .... .... .... .... = Open No Recall:
Open no recall is NOT set
.... .... 0... .... .... .... .... .... = Open For Free
Space query: This is NOT an open for free space query
Impersonation: Impersonation (2)
Security Flags: 0x00
.... ...0 = Context Tracking: Security tracking mode is STATIC
.... ..0. = Effective Only: ALL aspects of the client's
security context are available
Byte Count (BCC): 83
File Name: \Nasdrive5\shared\test\KleineGruppeDatei

No. Time Source Destination Protocol
Info
17 2.905511 192.168.1.3 192.168.1.4 SMB
NT Create AndX Response, FID: 0x1e1f

Frame 17 (161 bytes on wire, 161 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.893154000
[Time delta from previous packet: 0.003915000 seconds]
[Time since reference or first frame: 2.905511000 seconds]
Frame Number: 17
Packet Length: 161 bytes
Capture Length: 161 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 147
Identification: 0x3963 (14691)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7d9a [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 600, Ack: 1013, Len: 107
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 600 (relative sequence number)
[Next sequence number: 707 (relative sequence number)]
Acknowledgement number: 1013 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0x61c9 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 16]
[The RTT to ACK the segment was: 0.003915000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 103
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 16]
[Time from request: 0.003915000 seconds]
SMB Command: NT Create AndX (0xa2)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56129
NT Create AndX Response (0xa2)
Word Count (WCT): 34
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
Oplock level: No oplock granted (0)
FID: 0x1e1f
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 17]
[Closed in: 22]
Create action: The file existed and was opened (1)
Created: Apr 12, 2007 16:25:34.000000000
Last Access: Apr 12, 2007 16:25:34.000000000
Last Write: Apr 12, 2007 16:25:34.000000000
Change: Apr 12, 2007 16:25:34.000000000
File Attributes: 0x00000020
.... .... .... .... .0.. .... .... .... = Encrypted: This is
NOT an encrypted file
.... .... .... .... ..0. .... .... .... = Content Indexed:
This file MAY be indexed by the content indexing service
.... .... .... .... ...0 .... .... .... = Offline: This file
is NOT offline
.... .... .... .... .... 0... .... .... = Compressed: This
is NOT a compressed file
.... .... .... .... .... .0.. .... .... = Reparse Point:
This file does NOT have an associated reparse point
.... .... .... .... .... ..0. .... .... = Sparse: This is
NOT a sparse file
.... .... .... .... .... ...0 .... .... = Temporary: This is
NOT a temporary file
.... .... .... .... .... .... 0... .... = Normal: This file
has some attribute set
.... .... .... .... .... .... .0.. .... = Device: This is
NOT a device
.... .... .... .... .... .... ..1. .... = Archive: This file
has been modified since last ARCHIVE
.... .... .... .... .... .... ...0 .... = Directory: This is
NOT a directory
.... .... .... .... .... .... .... 0... = Volume ID: This is
NOT a volume ID
.... .... .... .... .... .... .... .0.. = System: This is
NOT a system file
.... .... .... .... .... .... .... ..0. = Hidden: This is
NOT a hidden file
.... .... .... .... .... .... .... ...0 = Read Only: This
file is NOT read only
Allocation Size: 1048576
End Of File: 0
File Type: Disk file or directory (0)
IPC State: 0x0007
0... .... .... .... = Nonblocking: Reads/writes block if no
data available
.0.. .... .... .... = Endpoint: Consumer end of pipe (0)
.... 00.. .... .... = Pipe Type: Byte stream pipe (0)
.... ..00 .... .... = Read Mode: Read pipe as a byte stream (0)
.... .... 0000 0111 = Icount: 7
Is Directory: This is NOT a directory (0)
Byte Count (BCC): 0

No. Time Source Destination Protocol
Info
18 2.905927 192.168.1.4 192.168.1.3 SMB
Trans2 Request, QUERY_FILE_INFO, FID: 0x1e1f, Query File Basic Info

Frame 18 (130 bytes on wire, 130 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.893570000
[Time delta from previous packet: 0.000416000 seconds]
[Time since reference or first frame: 2.905927000 seconds]
Frame Number: 18
Packet Length: 130 bytes
Capture Length: 130 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 116
Identification: 0x92c4 (37572)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe467 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1013, Ack: 707, Len: 76
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1013 (relative sequence number)
[Next sequence number: 1089 (relative sequence number)]
Acknowledgement number: 707 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16286
Checksum: 0x1239 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 17]
[The RTT to ACK the segment was: 0.000416000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 72
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 19]
SMB Command: Trans2 (0x32)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56193
Trans2 Request (0x32)
Word Count (WCT): 15
Total Parameter Count: 4
Total Data Count: 0
Max Parameter Count: 2
Max Data Count: 40
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 4
Parameter Offset: 68
Data Count: 0
Data Offset: 0
Setup Count: 1
Reserved: 00
Subcommand: QUERY_FILE_INFO (0x0007)
Byte Count (BCC): 7
Padding: 170A32
QUERY_FILE_INFO Parameters
FID: 0x1e1f
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 17]
[Closed in: 22]
Level of Interest: Query File Basic Info (1004)

No. Time Source Destination Protocol
Info
19 2.908848 192.168.1.3 192.168.1.4 SMB
Trans2 Response, QUERY_FILE_INFO

Frame 19 (158 bytes on wire, 158 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.896491000
[Time delta from previous packet: 0.002921000 seconds]
[Time since reference or first frame: 2.908848000 seconds]
Frame Number: 19
Packet Length: 158 bytes
Capture Length: 158 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 144
Identification: 0x3964 (14692)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7d9c [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 707, Ack: 1089, Len: 104
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 707 (relative sequence number)
[Next sequence number: 811 (relative sequence number)]
Acknowledgement number: 1089 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0xa040 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 18]
[The RTT to ACK the segment was: 0.002921000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 100
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 18]
[Time from request: 0.002921000 seconds]
SMB Command: Trans2 (0x32)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc841
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .1.. .... = Long Names Used: Path names in request
are long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56193
Trans2 Response (0x32)
Subcommand: QUERY_FILE_INFO (0x0007)
Word Count (WCT): 10
Total Parameter Count: 2
Total Data Count: 40
Reserved: 0000
Parameter Count: 2
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 40
Data Offset: 60
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 45
Padding: 00
QUERY_FILE_INFO Parameters
EA Error offset: 0
Padding: 0000
QUERY_FILE_INFO Data
Created: Apr 12, 2007 16:25:34.000000000
Last Access: Apr 12, 2007 16:25:34.000000000
Last Write: Apr 12, 2007 16:25:34.000000000
Change: Apr 12, 2007 16:25:34.000000000
File Attributes: 0x00000020
.0.. .... .... .... = Encrypted: This is NOT an
encrypted file
..0. .... .... .... = Content Indexed: This file MAY be
indexed by the content indexing service
...0 .... .... .... = Offline: This file is NOT offline
.... 0... .... .... = Compressed: This is NOT a
compressed file
.... .0.. .... .... = Reparse Point: This file does NOT
have an associated reparse point
.... ..0. .... .... = Sparse: This is NOT a sparse file
.... ...0 .... .... = Temporary: This is NOT a temporary
file
.... .... 0... .... = Normal: This file has some
attribute set
.... .... .0.. .... = Device: This is NOT a device
.... .... ..1. .... = Archive: This file has been
modified since last ARCHIVE
.... .... ...0 .... = Directory: This is NOT a directory
.... .... .... 0... = Volume ID: This is NOT a volume ID
.... .... .... .0.. = System: This is NOT a system file
.... .... .... ..0. = Hidden: This is NOT a hidden file
.... .... .... ...0 = Read Only: This file is NOT read only
Unknown Data: 00000000

No. Time Source Destination Protocol
Info
20 2.909376 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT SET SECURITY DESC, FID: 0x1e1f

Frame 20 (362 bytes on wire, 362 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.897019000
[Time delta from previous packet: 0.000528000 seconds]
[Time since reference or first frame: 2.909376000 seconds]
Frame Number: 20
Packet Length: 362 bytes
Capture Length: 362 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 348
Identification: 0x92c5 (37573)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe37e [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1089, Ack: 811, Len: 308
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1089 (relative sequence number)
[Next sequence number: 1397 (relative sequence number)]
Acknowledgement number: 811 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16182
Checksum: 0x82d7 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 19]
[The RTT to ACK the segment was: 0.000528000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 304
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 21]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56257
NT Trans Request (0xa0)
Word Count (WCT): 19
Max Setup Count: 0
Reserved: 0000
Total Parameter Count: 8
Total Data Count: 220
Max Parameter Count: 0
Max Data Count: 0
Parameter Count: 8
Parameter Offset: 76
Data Count: 220
Data Offset: 84
Setup Count: 0
Function: NT SET SECURITY DESC (3)
Byte Count (BCC): 231
Padding: 000000
NT SET SECURITY DESC Parameters
FID: 0x1e1f
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 17]
[Closed in: 22]
Reserved: 0000
Security Information: 0x80000004
.... .... .... .... .... .... .... ...0 = Owner: NOT
requesting owner security information
.... .... .... .... .... .... .... ..0. = Group: NOT
requesting group security information
.... .... .... .... .... .... .... .1.. = DACL:
Requesting DACL security information
.... .... .... .... .... .... .... 0... = SACL: NOT
requesting SACL security information
NT SET SECURITY DESC Data
NT Security Descriptor
Revision: 1
Type: 0x9d04
1... .... .... .... = Self Relative: This SecDesc is
SELF RELATIVE
.0.. .... .... .... = RM Control Valid: Rm control
valid is FALSE
..0. .... .... .... = SACL Protected: The SACL is
NOT protected
...1 .... .... .... = DACL Protected: The DACL is
PROTECTED
.... 1... .... .... = SACL Auto Inherited: SACL is
AUTO INHERITED
.... .1.. .... .... = DACL Auto Inherited: DACL is
AUTO INHERITED
.... ..0. .... .... = SACL Auto Inherit Required:
SACL does NOT require auto inherit
.... ...1 .... .... = DACL Auto Inherit Required:
DACL has AUTO INHERIT REQUIRED
.... .... 0... .... = Server Security: Server
security is FALSE
.... .... .0.. .... = DACL Trusted: Dacl trusted is
FALSE
.... .... ..0. .... = SACL Defaulted: SACL is NOT
defaulted
.... .... ...0 .... = SACL Present: SACL is NOT present
.... .... .... 0... = DACL Defaulted: DACL is NOT
defaulted
.... .... .... .1.. = DACL Present: DACL is PRESENT
.... .... .... ..0. = Group Defaulted: Group is NOT
defaulted
.... .... .... ...0 = Owner Defaulted: Owner is NOT
defaulted
Offset to owner SID: 176
Offset to group SID: 192
Offset to SACL: 0
Offset to DACL: 20
Owner: S-1-5-32-544
Revision: 1
Num Auth: 2
Authority: 5
Sub-authorities: 32-544
Group: S-1-5-21-1214440339-113007714-839522115-513
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities: 21-1214440339-113007714-839522115
RID: 513 (Domain Users)
NT User (DACL) ACL
Revision: NT4 (2)
Size: 156
Num ACEs: 5
NT ACE: S-1-5-21-1214440339-113007714-839522115-500,
flags 0x00, Access Allowed, mask 0x001f01ff
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x001f01ff
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x001f0000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 1... .... .... .... ....
= Write owner: Set
.... .... .... .1.. .... .... .... ....
= Write DAC: Set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...1 .... .... .... ....
= Delete: Set
FILE specific rights: 0x000001ff
[FULL CONTROL]
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..1. ....
= Execute: Set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-500
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 500 (Administrator)
NT ACE: S-1-5-11, flags 0x00, Access Allowed, mask
0x001200a9
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 20
Access required: 0x001200a9
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x000000a9
.... .... .... .... .... ...0 .... ....
= Write Attribute: Not set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..1. ....
= Execute: Set
.... .... .... .... .... .... ...0 ....
= Write EA: Not set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .0..
= Append Data: Not set
.... .... .... .... .... .... .... ..0.
= Write Data: Not set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-11
Revision: 1
Num Auth: 1
Authority: 5
Sub-authorities: 11
NT ACE: S-1-5-21-1214440339-113007714-839522115-513,
flags 0x00, Access Allowed, mask 0x0012019f
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x0012019f
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x0000019f
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..0. ....
= Execute: Not set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-513
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 513 (Domain Users)
NT ACE: S-1-1-0, flags 0x00, Access Allowed, mask
0x0012019f
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 20
Access required: 0x0012019f
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x0000019f
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..0. ....
= Execute: Not set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-1-0
Revision: 1
Num Auth: 1
Authority: 1
Sub-authorities: 0
NT ACE:
S-1-5-21-1214440339-113007714-839522115-25226, flags 0x00, Access
Allowed, mask 0x001200a9
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x001200a9
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x000000a9
.... .... .... .... .... ...0 .... ....
= Write Attribute: Not set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..1. ....
= Execute: Set
.... .... .... .... .... .... ...0 ....
= Write EA: Not set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .0..
= Append Data: Not set
.... .... .... .... .... .... .... ..0.
= Write Data: Not set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-25226
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 25226

No. Time Source Destination Protocol
Info
21 2.914634 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT SET SECURITY DESC

Frame 21 (129 bytes on wire, 129 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.902277000
[Time delta from previous packet: 0.005258000 seconds]
[Time since reference or first frame: 2.914634000 seconds]
Frame Number: 21
Packet Length: 129 bytes
Capture Length: 129 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 115
Identification: 0x3965 (14693)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7db8 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 811, Ack: 1397, Len: 75
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 811 (relative sequence number)
[Next sequence number: 886 (relative sequence number)]
Acknowledgement number: 1397 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0x5294 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 20]
[The RTT to ACK the segment was: 0.005258000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 71
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 20]
[Time from request: 0.005258000 seconds]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc841
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .1.. .... = Long Names Used: Path names in request
are long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56257
NT Trans Response (0xa0)
Function: NT SET SECURITY DESC (3)
Word Count (WCT): 18
Reserved: 000000
Total Parameter Count: 0
Total Data Count: 0
Parameter Count: 0
Parameter Offset: 0
Parameter Displacement: 0
Data Count: 0
Data Offset: 0
Data Displacement: 0
Setup Count: 0
Byte Count (BCC): 0

No. Time Source Destination Protocol
Info
22 2.915064 192.168.1.4 192.168.1.3 SMB
Close Request, FID: 0x1e1f

Frame 22 (99 bytes on wire, 99 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.902707000
[Time delta from previous packet: 0.000430000 seconds]
[Time since reference or first frame: 2.915064000 seconds]
Frame Number: 22
Packet Length: 99 bytes
Capture Length: 99 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 85
Identification: 0x92c6 (37574)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe484 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1397, Ack: 886, Len: 45
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1397 (relative sequence number)
[Next sequence number: 1442 (relative sequence number)]
Acknowledgement number: 886 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16107
Checksum: 0x86cd [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 21]
[The RTT to ACK the segment was: 0.000430000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 41
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 23]
SMB Command: Close (0x04)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 65279
User ID: 101
Multiplex ID: 56321
Close Request (0x04)
Word Count (WCT): 3
FID: 0x1e1f
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 17]
[Closed in: 22]
Last Write: No time specified (0xffffffff)
Byte Count (BCC): 0

No. Time Source Destination Protocol
Info
23 2.918907 192.168.1.3 192.168.1.4 SMB
Close Response

Frame 23 (93 bytes on wire, 93 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.906550000
[Time delta from previous packet: 0.003843000 seconds]
[Time since reference or first frame: 2.918907000 seconds]
Frame Number: 23
Packet Length: 93 bytes
Capture Length: 93 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 79
Identification: 0x3966 (14694)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7ddb [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 886, Ack: 1442, Len: 39
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 886 (relative sequence number)
[Next sequence number: 925 (relative sequence number)]
Acknowledgement number: 1442 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0xc46a [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 22]
[The RTT to ACK the segment was: 0.003843000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 35
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 22]
[Time from request: 0.003843000 seconds]
SMB Command: Close (0x04)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 65279
User ID: 101
Multiplex ID: 56321
Close Response (0x04)
Word Count (WCT): 0
Byte Count (BCC): 0

No. Time Source Destination Protocol
Info
24 2.919679 192.168.1.4 192.168.1.3 SMB
NT Create AndX Request, Path: \Nasdrive5\shared\test\KleineGruppeDatei

Frame 24 (224 bytes on wire, 224 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.907322000
[Time delta from previous packet: 0.000772000 seconds]
[Time since reference or first frame: 2.919679000 seconds]
Frame Number: 24
Packet Length: 224 bytes
Capture Length: 224 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 210
Identification: 0x92c7 (37575)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe406 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1442, Ack: 925, Len: 170
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1442 (relative sequence number)
[Next sequence number: 1612 (relative sequence number)]
Acknowledgement number: 925 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16068
Checksum: 0x367d [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 23]
[The RTT to ACK the segment was: 0.000772000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 166
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 25]
SMB Command: NT Create AndX (0xa2)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56385
NT Create AndX Request (0xa2)
Word Count (WCT): 24
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 57054
Reserved: 00
File Name Len: 80
Create Flags: 0x00000010
.... .... .... .... .... .... ...1 .... = Extended Response:
Extended responses required
.... .... .... .... .... .... .... 0... = Create Directory:
Target of open can be a file
.... .... .... .... .... .... .... .0.. = Batch Oplock: Does
NOT request batch oplock
.... .... .... .... .... .... .... ..0. = Exclusive Oplock:
Does NOT request oplock
Root FID: 0x00000000
Access Mask: 0x00020080
0... .... .... .... .... .... .... .... = Generic Read:
Generic read is NOT set
.0.. .... .... .... .... .... .... .... = Generic Write:
Generic write is NOT set
..0. .... .... .... .... .... .... .... = Generic Execute:
Generic execute is NOT set
...0 .... .... .... .... .... .... .... = Generic All:
Generic all is NOT set
.... ..0. .... .... .... .... .... .... = Maximum Allowed:
Maximum allowed is NOT set
.... ...0 .... .... .... .... .... .... = System Security:
System security is NOT set
.... .... ...0 .... .... .... .... .... = Synchronize: Can
NOT wait on handle to synchronize on completion of I/O
.... .... .... 0... .... .... .... .... = Write Owner: Can
NOT write owner (take ownership)
.... .... .... .0.. .... .... .... .... = Write DAC: Owner
may NOT write to the DAC
.... .... .... ..1. .... .... .... .... = Read Control: READ
ACCESS to owner, group and ACL of the SID
.... .... .... ...0 .... .... .... .... = Delete: NO delete
access
.... .... .... .... .... ...0 .... .... = Write Attributes:
NO write attributes access
.... .... .... .... .... .... 1... .... = Read Attributes:
READ ATTRIBUTES access
.... .... .... .... .... .... .0.. .... = Delete Child: NO
delete child access
.... .... .... .... .... .... ..0. .... = Execute: NO
execute access
.... .... .... .... .... .... ...0 .... = Write EA: NO write
extended attributes access
.... .... .... .... .... .... .... 0... = Read EA: NO read
extended attributes access
.... .... .... .... .... .... .... .0.. = Append: NO append
access
.... .... .... .... .... .... .... ..0. = Write: NO write access
.... .... .... .... .... .... .... ...0 = Read: NO read access
Allocation Size: 0
File Attributes: 0x00000000
.... .... .... .... .0.. .... .... .... = Encrypted: This is
NOT an encrypted file
.... .... .... .... ..0. .... .... .... = Content Indexed:
This file MAY be indexed by the content indexing service
.... .... .... .... ...0 .... .... .... = Offline: This file
is NOT offline
.... .... .... .... .... 0... .... .... = Compressed: This
is NOT a compressed file
.... .... .... .... .... .0.. .... .... = Reparse Point:
This file does NOT have an associated reparse point
.... .... .... .... .... ..0. .... .... = Sparse: This is
NOT a sparse file
.... .... .... .... .... ...0 .... .... = Temporary: This is
NOT a temporary file
.... .... .... .... .... .... 0... .... = Normal: This file
has some attribute set
.... .... .... .... .... .... .0.. .... = Device: This is
NOT a device
.... .... .... .... .... .... ..0. .... = Archive: This file
has NOT been modified since last archive
.... .... .... .... .... .... ...0 .... = Directory: This is
NOT a directory
.... .... .... .... .... .... .... 0... = Volume ID: This is
NOT a volume ID
.... .... .... .... .... .... .... .0.. = System: This is
NOT a system file
.... .... .... .... .... .... .... ..0. = Hidden: This is
NOT a hidden file
.... .... .... .... .... .... .... ...0 = Read Only: This
file is NOT read only
Share Access: 0x00000007
.... .... .... .... .... .... .... .1.. = Delete: Object can
be shared for DELETE
.... .... .... .... .... .... .... ..1. = Write: Object can
be shared for WRITE
.... .... .... .... .... .... .... ...1 = Read: Object can
be shared for READ
Disposition: Open (if file exists open it, else fail) (1)
Create Options: 0x00200000
.... .... .... .... .... .... .... ...0 = Directory: File
being created/opened must not be a directory
.... .... .... .... .... .... .... ..0. = Write Through:
Writes need not flush buffered data before completing
.... .... .... .... .... .... .... .0.. = Sequential Only:
The file might not only be accessed sequentially
.... .... .... .... .... .... .... 0... = Intermediate
Buffering: Intermediate buffering is allowed
.... .... .... .... .... .... ...0 .... = Sync I/O Alert:
Operations NOT necessarily synchronous
.... .... .... .... .... .... ..0. .... = Sync I/O Nonalert:
Operations NOT necessarily synchronous
.... .... .... .... .... .... .0.. .... = Non-Directory:
File being created/opened must be a directory
.... .... .... .... .... .... 0... .... = Create Tree
Connection: Create Tree Connections is NOT set
.... .... .... .... .... ...0 .... .... = Complete If
Oplocked: Complete if oplocked is NOT set
.... .... .... .... .... ..0. .... .... = No EA Knowledge:
The client understands extended attributes
.... .... .... .... .... .0.. .... .... = 8.3 Only: The
client understands long file names
.... .... .... .... .... 0... .... .... = Random Access: The
file will not be accessed randomly
.... .... .... .... ...0 .... .... .... = Delete On Close:
The file should not be deleted when it is closed
.... .... .... .... ..0. .... .... .... = Open By FileID:
OpenByFileID is NOT set
.... .... .... .... .0.. .... .... .... = Backup Intent:
This is a normal create
.... .... .... .... 0... .... .... .... = No Compression:
Compression is allowed for Open/Create
.... .... ...0 .... .... .... .... .... = Reserve Opfilter:
Reserve Opfilter is NOT set
.... .... ..1. .... .... .... .... .... = Open Reparse
Point: Open a Reparse Point
.... .... .0.. .... .... .... .... .... = Open No Recall:
Open no recall is NOT set
.... .... 0... .... .... .... .... .... = Open For Free
Space query: This is NOT an open for free space query
Impersonation: Impersonation (2)
Security Flags: 0x00
.... ...0 = Context Tracking: Security tracking mode is STATIC
.... ..0. = Effective Only: ALL aspects of the client's
security context are available
Byte Count (BCC): 83
File Name: \Nasdrive5\shared\test\KleineGruppeDatei

No. Time Source Destination Protocol
Info
25 2.923559 192.168.1.3 192.168.1.4 SMB
NT Create AndX Response, FID: 0x1e20

Frame 25 (161 bytes on wire, 161 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.911202000
[Time delta from previous packet: 0.003880000 seconds]
[Time since reference or first frame: 2.923559000 seconds]
Frame Number: 25
Packet Length: 161 bytes
Capture Length: 161 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 147
Identification: 0x3967 (14695)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7d96 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 925, Ack: 1612, Len: 107
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 925 (relative sequence number)
[Next sequence number: 1032 (relative sequence number)]
Acknowledgement number: 1612 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0x5d2c [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 24]
[The RTT to ACK the segment was: 0.003880000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 103
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 24]
[Time from request: 0.003880000 seconds]
SMB Command: NT Create AndX (0xa2)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56385
NT Create AndX Response (0xa2)
Word Count (WCT): 34
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
Oplock level: No oplock granted (0)
FID: 0x1e20
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 25]
[Closed in: 30]
Create action: The file existed and was opened (1)
Created: Apr 12, 2007 16:25:34.000000000
Last Access: Apr 12, 2007 16:25:34.000000000
Last Write: Apr 12, 2007 16:25:34.000000000
Change: Apr 12, 2007 16:25:34.000000000
File Attributes: 0x00000020
.... .... .... .... .0.. .... .... .... = Encrypted: This is
NOT an encrypted file
.... .... .... .... ..0. .... .... .... = Content Indexed:
This file MAY be indexed by the content indexing service
.... .... .... .... ...0 .... .... .... = Offline: This file
is NOT offline
.... .... .... .... .... 0... .... .... = Compressed: This
is NOT a compressed file
.... .... .... .... .... .0.. .... .... = Reparse Point:
This file does NOT have an associated reparse point
.... .... .... .... .... ..0. .... .... = Sparse: This is
NOT a sparse file
.... .... .... .... .... ...0 .... .... = Temporary: This is
NOT a temporary file
.... .... .... .... .... .... 0... .... = Normal: This file
has some attribute set
.... .... .... .... .... .... .0.. .... = Device: This is
NOT a device
.... .... .... .... .... .... ..1. .... = Archive: This file
has been modified since last ARCHIVE
.... .... .... .... .... .... ...0 .... = Directory: This is
NOT a directory
.... .... .... .... .... .... .... 0... = Volume ID: This is
NOT a volume ID
.... .... .... .... .... .... .... .0.. = System: This is
NOT a system file
.... .... .... .... .... .... .... ..0. = Hidden: This is
NOT a hidden file
.... .... .... .... .... .... .... ...0 = Read Only: This
file is NOT read only
Allocation Size: 1048576
End Of File: 0
File Type: Disk file or directory (0)
IPC State: 0x0007
0... .... .... .... = Nonblocking: Reads/writes block if no
data available
.0.. .... .... .... = Endpoint: Consumer end of pipe (0)
.... 00.. .... .... = Pipe Type: Byte stream pipe (0)
.... ..00 .... .... = Read Mode: Read pipe as a byte stream (0)
.... .... 0000 0111 = Icount: 7
Is Directory: This is NOT a directory (0)
Byte Count (BCC): 0

No. Time Source Destination Protocol
Info
26 2.923941 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT QUERY SECURITY DESC, FID: 0x1e20

Frame 26 (142 bytes on wire, 142 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.911584000
[Time delta from previous packet: 0.000382000 seconds]
[Time since reference or first frame: 2.923941000 seconds]
Frame Number: 26
Packet Length: 142 bytes
Capture Length: 142 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 128
Identification: 0x92c8 (37576)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe457 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1612, Ack: 1032, Len: 88
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1612 (relative sequence number)
[Next sequence number: 1700 (relative sequence number)]
Acknowledgement number: 1032 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 17520
Checksum: 0x2972 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 25]
[The RTT to ACK the segment was: 0.000382000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 84
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 27]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56449
NT Trans Request (0xa0)
Word Count (WCT): 19
Max Setup Count: 0
Reserved: 0000
Total Parameter Count: 8
Total Data Count: 0
Max Parameter Count: 4
Max Data Count: 0
Parameter Count: 8
Parameter Offset: 76
Data Count: 0
Data Offset: 0
Setup Count: 0
Function: NT QUERY SECURITY DESC (6)
Byte Count (BCC): 11
Padding: 000000
NT QUERY SECURITY DESC Parameters
FID: 0x1e20
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 25]
[Closed in: 30]
Reserved: 0000
Security Information: 0x00000004
.... .... .... .... .... .... .... ...0 = Owner: NOT
requesting owner security information
.... .... .... .... .... .... .... ..0. = Group: NOT
requesting group security information
.... .... .... .... .... .... .... .1.. = DACL:
Requesting DACL security information
.... .... .... .... .... .... .... 0... = SACL: NOT
requesting SACL security information

No. Time Source Destination Protocol
Info
27 2.927879 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT QUERY SECURITY DESC, Error: STATUS_BUFFER_TOO_SMALL

Frame 27 (136 bytes on wire, 136 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.915522000
[Time delta from previous packet: 0.003938000 seconds]
[Time since reference or first frame: 2.927879000 seconds]
Frame Number: 27
Packet Length: 136 bytes
Capture Length: 136 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 122
Identification: 0x3968 (14696)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7dae [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 1032, Ack: 1700, Len: 82
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 1032 (relative sequence number)
[Next sequence number: 1114 (relative sequence number)]
Acknowledgement number: 1700 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0xe24d [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 26]
[The RTT to ACK the segment was: 0.003938000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 78
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 26]
[Time from request: 0.003938000 seconds]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_BUFFER_TOO_SMALL (0xc0000023)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc841
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .1.. .... = Long Names Used: Path names in request
are long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56449
NT Trans Response (0xa0)
Function: NT QUERY SECURITY DESC (6)
Word Count (WCT): 18
Reserved: 000000
Total Parameter Count: 4
Total Data Count: 0
Parameter Count: 4
Parameter Offset: 74
Parameter Displacement: 0
Data Count: 0
Data Offset: 0
Data Displacement: 0
Setup Count: 0
Byte Count (BCC): 7
Padding: 000000
NT QUERY SECURITY DESC Parameters
NT Security Descriptor Length: 156

No. Time Source Destination Protocol
Info
28 2.928246 192.168.1.4 192.168.1.3 SMB
NT Trans Request, NT QUERY SECURITY DESC, FID: 0x1e20

Frame 28 (142 bytes on wire, 142 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.915889000
[Time delta from previous packet: 0.000367000 seconds]
[Time since reference or first frame: 2.928246000 seconds]
Frame Number: 28
Packet Length: 142 bytes
Capture Length: 142 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 128
Identification: 0x92c9 (37577)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe456 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1700, Ack: 1114, Len: 88
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1700 (relative sequence number)
[Next sequence number: 1788 (relative sequence number)]
Acknowledgement number: 1114 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 17438
Checksum: 0x4d19 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 27]
[The RTT to ACK the segment was: 0.000367000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 84
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 29]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56513
NT Trans Request (0xa0)
Word Count (WCT): 19
Max Setup Count: 0
Reserved: 0000
Total Parameter Count: 8
Total Data Count: 0
Max Parameter Count: 4
Max Data Count: 156
Parameter Count: 8
Parameter Offset: 76
Data Count: 0
Data Offset: 0
Setup Count: 0
Function: NT QUERY SECURITY DESC (6)
Byte Count (BCC): 11
Padding: 000000
NT QUERY SECURITY DESC Parameters
FID: 0x1e20
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 25]
[Closed in: 30]
Reserved: 0000
Security Information: 0x00000004
.... .... .... .... .... .... .... ...0 = Owner: NOT
requesting owner security information
.... .... .... .... .... .... .... ..0. = Group: NOT
requesting group security information
.... .... .... .... .... .... .... .1.. = DACL:
Requesting DACL security information
.... .... .... .... .... .... .... 0... = SACL: NOT
requesting SACL security information

No. Time Source Destination Protocol
Info
29 2.932058 192.168.1.3 192.168.1.4 SMB
NT Trans Response, NT QUERY SECURITY DESC

Frame 29 (292 bytes on wire, 292 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.919701000
[Time delta from previous packet: 0.003812000 seconds]
[Time since reference or first frame: 2.932058000 seconds]
Frame Number: 29
Packet Length: 292 bytes
Capture Length: 292 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 278
Identification: 0x3969 (14697)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7d11 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 1114, Ack: 1788, Len: 238
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 1114 (relative sequence number)
[Next sequence number: 1352 (relative sequence number)]
Acknowledgement number: 1788 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0x8f4a [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 28]
[The RTT to ACK the segment was: 0.003812000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 234
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 28]
[Time from request: 0.003812000 seconds]
SMB Command: NT Trans (0xa0)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc841
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .1.. .... = Long Names Used: Path names in request
are long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 1220
User ID: 101
Multiplex ID: 56513
NT Trans Response (0xa0)
Function: NT QUERY SECURITY DESC (6)
Word Count (WCT): 18
Reserved: 000000
Total Parameter Count: 4
Total Data Count: 156
Parameter Count: 4
Parameter Offset: 74
Parameter Displacement: 0
Data Count: 156
Data Offset: 78
Data Displacement: 0
Setup Count: 0
Byte Count (BCC): 163
Padding: 000000
NT QUERY SECURITY DESC Parameters
NT Security Descriptor Length: 156
NT QUERY SECURITY DESC Data
NT Security Descriptor
Revision: 1
Type: 0x9004
1... .... .... .... = Self Relative: This SecDesc is
SELF RELATIVE
.0.. .... .... .... = RM Control Valid: Rm control
valid is FALSE
..0. .... .... .... = SACL Protected: The SACL is
NOT protected
...1 .... .... .... = DACL Protected: The DACL is
PROTECTED
.... 0... .... .... = SACL Auto Inherited: SACL is
NOT auto inherited
.... .0.. .... .... = DACL Auto Inherited: DACL is
NOT auto inherited
.... ..0. .... .... = SACL Auto Inherit Required:
SACL does NOT require auto inherit
.... ...0 .... .... = DACL Auto Inherit Required:
DACL does NOT require auto inherit
.... .... 0... .... = Server Security: Server
security is FALSE
.... .... .0.. .... = DACL Trusted: Dacl trusted is
FALSE
.... .... ..0. .... = SACL Defaulted: SACL is NOT
defaulted
.... .... ...0 .... = SACL Present: SACL is NOT present
.... .... .... 0... = DACL Defaulted: DACL is NOT
defaulted
.... .... .... .1.. = DACL Present: DACL is PRESENT
.... .... .... ..0. = Group Defaulted: Group is NOT
defaulted
.... .... .... ...0 = Owner Defaulted: Owner is NOT
defaulted
Offset to owner SID: 0
Offset to group SID: 0
Offset to SACL: 0
Offset to DACL: 20
NT User (DACL) ACL
Revision: NT4 (2)
Size: 136
Num ACEs: 4
NT ACE: S-1-5-21-1214440339-113007714-839522115-500,
flags 0x00, Access Allowed, mask 0x001f01ff
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x001f01ff
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x001f0000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 1... .... .... .... ....
= Write owner: Set
.... .... .... .1.. .... .... .... ....
= Write DAC: Set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...1 .... .... .... ....
= Delete: Set
FILE specific rights: 0x000001ff
[FULL CONTROL]
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..1. ....
= Execute: Set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-500
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 500 (Administrator)
NT ACE:
S-1-5-21-1214440339-113007714-839522115-25226, flags 0x00, Access
Allowed, mask 0x001200a9
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x001200a9
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x000000a9
.... .... .... .... .... ...0 .... ....
= Write Attribute: Not set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..1. ....
= Execute: Set
.... .... .... .... .... .... ...0 ....
= Write EA: Not set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .0..
= Append Data: Not set
.... .... .... .... .... .... .... ..0.
= Write Data: Not set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-25226
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 25226
NT ACE: S-1-5-21-1214440339-113007714-839522115-513,
flags 0x00, Access Allowed, mask 0x0012019f
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 36
Access required: 0x0012019f
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x0000019f
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..0. ....
= Execute: Not set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-5-21-1214440339-113007714-839522115-513
Revision: 1
Num Auth: 5
Authority: 5
Sub-authorities:
21-1214440339-113007714-839522115
RID: 513 (Domain Users)
NT ACE: S-1-1-0, flags 0x00, Access Allowed, mask
0x0012019f
Type: Access Allowed (0)
NT ACE Flags: 0x00
0... .... = Audit Failed Accesses: Failed
accesses will not be audited
.0.. .... = Audit Successful Accesses:
Successful accesses will not be audited
...0 .... = Inherited ACE: This ACE was not
inherited from its parent object
.... 0... = Inherit Only: This ACE applies
to the current object
.... .0.. = Non-Propagate Inherit:
Subordinate object will propagate the inherited ACE further
.... ..0. = Container Inherit: Subordinate
containers will not inherit this ACE
.... ...0 = Object Inherit: Subordinate
files will not inherit this ACE
Size: 20
Access required: 0x0012019f
Generic rights: 0x00000000
0... .... .... .... .... .... .... ....
= Generic read: Not set
.0.. .... .... .... .... .... .... ....
= Generic write: Not set
..0. .... .... .... .... .... .... ....
= Generic execute: Not set
...0 .... .... .... .... .... .... ....
= Generic all: Not set
.... ..0. .... .... .... .... .... .... =
Maximum allowed: Not set
.... .... 0... .... .... .... .... .... =
Access SACL: Not set
Standard rights: 0x00120000
.... .... ...1 .... .... .... .... ....
= Synchronise: Set
.... .... .... 0... .... .... .... ....
= Write owner: Not set
.... .... .... .0.. .... .... .... ....
= Write DAC: Not set
.... .... .... ..1. .... .... .... ....
= Read control: Set
.... .... .... ...0 .... .... .... ....
= Delete: Not set
FILE specific rights: 0x0000019f
.... .... .... .... .... ...1 .... ....
= Write Attribute: Set
.... .... .... .... .... .... 1... ....
= Read Attribute: Set
.... .... .... .... .... .... ..0. ....
= Execute: Not set
.... .... .... .... .... .... ...1 ....
= Write EA: Set
.... .... .... .... .... .... .... 1...
= Read EA: Set
.... .... .... .... .... .... .... .1..
= Append Data: Set
.... .... .... .... .... .... .... ..1.
= Write Data: Set
.... .... .... .... .... .... .... ...1
= Read Data: Set
ACE: S-1-1-0
Revision: 1
Num Auth: 1
Authority: 1
Sub-authorities: 0

No. Time Source Destination Protocol
Info
30 2.932521 192.168.1.4 192.168.1.3 SMB
Close Request, FID: 0x1e20

Frame 30 (99 bytes on wire, 99 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.920164000
[Time delta from previous packet: 0.000463000 seconds]
[Time since reference or first frame: 2.932521000 seconds]
Frame Number: 30
Packet Length: 99 bytes
Capture Length: 99 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Microsof_b2:36:88 (00:03:ff:b2:36:88), Dst:
Softing_09:ff:dc (00:06:71:09:ff:dc)
Destination: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 192.168.1.3
(192.168.1.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 85
Identification: 0x92ca (37578)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xe480 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.4 (192.168.1.4)
Destination: 192.168.1.3 (192.168.1.3)
Transmission Control Protocol, Src Port: 3257 (3257), Dst Port:
microsoft-ds (445), Seq: 1788, Ack: 1352, Len: 45
Source port: 3257 (3257)
Destination port: microsoft-ds (445)
Sequence number: 1788 (relative sequence number)
[Next sequence number: 1833 (relative sequence number)]
Acknowledgement number: 1352 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 17200
Checksum: 0x7f2d [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 29]
[The RTT to ACK the segment was: 0.000463000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 41
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 31]
SMB Command: Close (0x04)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xd807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...1 .... .... .... = Dfs: Resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .1.. = Security Signatures: Security
signatures are supported
.... .... .... ..1. = Extended Attributes: Extended
attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 65279
User ID: 101
Multiplex ID: 56577
Close Request (0x04)
Word Count (WCT): 3
FID: 0x1e20
[File Name: \Nasdrive5\shared\test\KleineGruppeDatei]
[Opened in: 25]
[Closed in: 30]
Last Write: No time specified (0xffffffff)
Byte Count (BCC): 0

No. Time Source Destination Protocol
Info
31 2.936432 192.168.1.3 192.168.1.4 SMB
Close Response

Frame 31 (93 bytes on wire, 93 bytes captured)
Arrival Time: Apr 16, 2007 16:40:15.924075000
[Time delta from previous packet: 0.003911000 seconds]
[Time since reference or first frame: 2.936432000 seconds]
Frame Number: 31
Packet Length: 93 bytes
Capture Length: 93 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:nbss:smb]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap ||
netbios]
Ethernet II, Src: Softing_09:ff:dc (00:06:71:09:ff:dc), Dst:
Microsof_b2:36:88 (00:03:ff:b2:36:88)
Destination: Microsof_b2:36:88 (00:03:ff:b2:36:88)
Address: Microsof_b2:36:88 (00:03:ff:b2:36:88)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: Softing_09:ff:dc (00:06:71:09:ff:dc)
Address: Softing_09:ff:dc (00:06:71:09:ff:dc)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4
(192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 79
Identification: 0x396a (14698)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x7dd7 [correct]
[Good: True]
[Bad : False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port:
3257 (3257), Seq: 1352, Ack: 1833, Len: 39
Source port: microsoft-ds (445)
Destination port: 3257 (3257)
Sequence number: 1352 (relative sequence number)
[Next sequence number: 1391 (relative sequence number)]
Acknowledgement number: 1833 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 10220
Checksum: 0xc110 [correct]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 30]
[The RTT to ACK the segment was: 0.003911000 seconds]
NetBIOS Session Service
Message Type: Session message
Length: 35
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 30]
[Time from request: 0.003911000 seconds]
SMB Command: Close (0x04)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x88
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...0 .... = Canonicalized Pathnames: Pathnames are not
canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not
been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc801
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT
error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads
if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation:
Extended security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request
are not long file names
.... .... .... .0.. = Security Signatures: Security
signatures are not supported
.... .... .... ..0. = Extended Attributes: Extended
attributes are not supported
.... .... .... ...1 = Long Names Allowed: Long file names
are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 3
Process ID: 65279
User ID: 101
Multiplex ID: 56577
Close Response (0x04)
Word Count (WCT): 0
Byte Count (BCC): 0

Continue reading on narkive:
Loading...