This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tracking down file deletions on a network share

0

I need to track down who marked what files for deletion when. This is on a network shared drive on a Windows server. If someone can help me set up a capture that will only look for SMB requests and tell me how to crunch that data that would be great!

asked 30 Sep '13, 10:12

trogdor3000's gravatar image

trogdor3000
11112
accept rate: 0%


2 Answers:

0

I think you're much more likely to solve your issue by using the built-in Windows auditing tools to track file deletions. A little Googling came up with this, I have no idea if it works though.

answered 30 Sep '13, 10:37

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 30 Sep '13, 10:38

This does not give the IP of the machines that the username of the user making the requests. I know there is a request being sent tat is marking files for deletion.

(30 Sep '13, 10:39) trogdor3000

0

A brief test with my own SMB system (a run of the mill SMB sharing NAS appliance) shows that windows will delete files using the "delete on close" disposition status. You can filter for this using "smb.disposition.delete_on_close == 1" however there might be other states used that cause a file to be deleted. To best diagnose the issue you will probably want to look at all SMB traffic, filter for each IP host (roughly sorting out your users so you know who is doing what) and then look for file info sets with the filter "smb.trans2.cmd == 0x0008". Hope this helps!

answered 30 Sep '13, 11:46

ipchains1's gravatar image

ipchains1
16114
accept rate: 0%