This is our old Q&A Site. Please post any new questions and answers at

I need to track down who marked what files for deletion when. This is on a network shared drive on a Windows server. If someone can help me set up a capture that will only look for SMB requests and tell me how to crunch that data that would be great!

asked 30 Sep '13, 10:12

trogdor3000's gravatar image

accept rate: 0%

I think you're much more likely to solve your issue by using the built-in Windows auditing tools to track file deletions. A little Googling came up with this, I have no idea if it works though.

permanent link

answered 30 Sep '13, 10:37

grahamb's gravatar image

grahamb ♦
accept rate: 22%

edited 30 Sep '13, 10:38

This does not give the IP of the machines that the username of the user making the requests. I know there is a request being sent tat is marking files for deletion.

(30 Sep '13, 10:39) trogdor3000

A brief test with my own SMB system (a run of the mill SMB sharing NAS appliance) shows that windows will delete files using the "delete on close" disposition status. You can filter for this using "smb.disposition.delete_on_close == 1" however there might be other states used that cause a file to be deleted. To best diagnose the issue you will probably want to look at all SMB traffic, filter for each IP host (roughly sorting out your users so you know who is doing what) and then look for file info sets with the filter "smb.trans2.cmd == 0x0008". Hope this helps!

permanent link

answered 30 Sep '13, 11:46

ipchains1's gravatar image

accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 30 Sep '13, 10:12

question was seen: 3,376 times

last updated: 30 Sep '13, 11:46

p​o​w​e​r​e​d by O​S​Q​A