Skip to content

Instantly share code, notes, and snippets.

@orgads
Last active August 29, 2015 14:27
Show Gist options
  • Save orgads/d2681881668afb9cb08f to your computer and use it in GitHub Desktop.
Save orgads/d2681881668afb9cb08f to your computer and use it in GitHub Desktop.
No. Time Source Destination Protocol Length Info
3 0.302038 10.33.5.130 10.1.0.14 SMB 178 Trans2 Request, FIND_FIRST2, Pattern: \CompilationResults
Frame 3: 178 bytes on wire (1424 bits), 178 bytes captured (1424 bits)
Ethernet II, Src: Universa_47:01:18 (fc:4d:d4:47:01:18), Dst: CheckPoi_3f:a9:5c (00:1c:7f:3f:a9:5c)
Internet Protocol Version 4, Src: 10.33.5.130 (10.33.5.130), Dst: 10.1.0.14 (10.1.0.14)
Transmission Control Protocol, Src Port: 64227 (64227), Dst Port: microsoft-ds (445), Seq: 1, Ack: 1, Len: 124
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response in: 4]
SMB Command: Trans2 (0x32)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... ...0 .... = Security Signatures Required: Security signatures are not required
.... .... .... 0... = Compressed: Compression is not requested
.... .... .... .1.. = Security Signatures: Security signatures are supported
.... .... .... ..1. = Extended Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 1
Process ID: 7572
User ID: 1
Multiplex ID: 2048
Trans2 Request (0x32)
Word Count (WCT): 15
Total Parameter Count: 52
Total Data Count: 0
Max Parameter Count: 10
Max Data Count: 16384
Max Setup Count: 0
Reserved: 00
Flags: 0x0000
.... .... .... ..0. = One Way Transaction: Two way transaction
.... .... .... ...0 = Disconnect TID: Do NOT disconnect TID
Timeout: Return immediately (0)
Reserved: 0000
Parameter Count: 52
Parameter Offset: 68
Data Count: 0
Data Offset: 0
Setup Count: 1
Reserved: 00
Subcommand: FIND_FIRST2 (0x0001)
Byte Count (BCC): 55
Padding: 000000
FIND_FIRST2 Parameters
Search Attributes: 0x0016
.... .... .... ...0 = Read Only: Do NOT include read only files in search results
.... .... .... ..1. = Hidden: Include HIDDEN files in search results
.... .... .... .1.. = System: Include SYSTEM files in search results
.... .... .... 0... = Volume ID: Do NOT include volume IDs in search results
.... .... ...1 .... = Directory: Include DIRECTORIES in search results
.... .... ..0. .... = Archive: Do NOT include archive files in search results
Search Count: 1366
Flags: 0x0007
.... .... ...0 .... = Backup Intent: No backup intent
.... .... .... 0... = Continue: New search, do NOT continue from previous position
.... .... .... .1.. = Resume: Return RESUME keys
.... .... .... ..1. = Close on EOS: CLOSE search if END OF SEARCH is reached
.... .... .... ...1 = Close: CLOSE search after this request
Level of Interest: Find File Both Directory Info (260)
Storage Type: 0
Search Pattern: \CompilationResults
No. Time Source Destination Protocol Length Info
4 0.303174 10.1.0.14 10.33.5.130 SMB 256 Trans2 Response, FIND_FIRST2, Files: CompilationResults
Frame 4: 256 bytes on wire (2048 bits), 256 bytes captured (2048 bits)
Ethernet II, Src: CheckPoi_3f:a9:5c (00:1c:7f:3f:a9:5c), Dst: Universa_47:01:18 (fc:4d:d4:47:01:18)
Internet Protocol Version 4, Src: 10.1.0.14 (10.1.0.14), Dst: 10.33.5.130 (10.33.5.130)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 64227 (64227), Seq: 1, Ack: 125, Len: 202
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
[Response to: 3]
[Time from request: 0.001136000 seconds]
SMB Command: Trans2 (0x32)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x98
1... .... = Request/Response: Message is a response to the client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0x8807
1... .... .... .... = Unicode Strings: Strings are Unicode
.0.. .... .... .... = Error Code Type: Error codes are DOS error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path
.... .... .0.. .... = Long Names Used: Path names in request are not long file names
.... .... ...0 .... = Security Signatures Required: Security signatures are not required
.... .... .... 0... = Compressed: Compression is not requested
.... .... .... .1.. = Security Signatures: Security signatures are supported
.... .... .... ..1. = Extended Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 1
Process ID: 7572
User ID: 1
Multiplex ID: 2048
Trans2 Response (0x32)
Subcommand: FIND_FIRST2 (0x0001)
[Level of Interest: Find File Both Directory Info (260)]
[Search Pattern: \CompilationResults]
Word Count (WCT): 10
Total Parameter Count: 10
Total Data Count: 132
Reserved: 0000
Parameter Count: 10
Parameter Offset: 56
Parameter Displacement: 0
Data Count: 132
Data Offset: 66
Data Displacement: 0
Setup Count: 0
Reserved: 00
Byte Count (BCC): 143
Padding: 00
FIND_FIRST2 Parameters
Level of Interest: Find File Both Directory Info (260)
Search ID: 0x0001
Search Count: 1
End Of Search: 1
EA Error offset: 0
Last Name Offset: 94
FIND_FIRST2 Data
Find File Both Directory Info File: CompilationResults
Next Entry Offset: 132
File Index: 0
Created: Jan 27, 2015 22:03:32.770176900 Jerusalem Standard Time
Last Access: Aug 19, 2015 03:46:24.062238300 Jerusalem Daylight Time
Last Write: Jul 7, 2015 10:46:21.767213400 Jerusalem Daylight Time
Change: Jul 7, 2015 10:46:21.767213400 Jerusalem Daylight Time
End Of File: 0
Allocation Size: 0
File Attributes: 0x00000030
.... .... .... .... .0.. .... .... .... = Encrypted: This is NOT an encrypted file
.... .... .... .... ..0. .... .... .... = Content Indexed: This file MAY be indexed by the content indexing service
.... .... .... .... ...0 .... .... .... = Offline: This file is NOT offline
.... .... .... .... .... 0... .... .... = Compressed: This is NOT a compressed file
.... .... .... .... .... .0.. .... .... = Reparse Point: This file does NOT have an associated reparse point
.... .... .... .... .... ..0. .... .... = Sparse: This is NOT a sparse file
.... .... .... .... .... ...0 .... .... = Temporary: This is NOT a temporary file
.... .... .... .... .... .... 0... .... = Normal: This file has some attribute set
.... .... .... .... .... .... .0.. .... = Device: This is NOT a device
.... .... .... .... .... .... ..1. .... = Archive: This file has been modified since last ARCHIVE
.... .... .... .... .... .... ...1 .... = Directory: This is a DIRECTORY
.... .... .... .... .... .... .... 0... = Volume ID: This is NOT a volume ID
.... .... .... .... .... .... .... .0.. = System: This is NOT a system file
.... .... .... .... .... .... .... ..0. = Hidden: This is NOT a hidden file
.... .... .... .... .... .... .... ...0 = Read Only: This file is NOT read only
File Name Len: 36
EA List Length: 0
Short File Name Len: 16
Reserved: 00
Short File Name: COMPI~ZE
File Name: CompilationResults
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment