This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SMB2 - Packet Capture - Understanding

0

Just looking to improve my knowledge of SMB2 and get some answers to the protocols behaviour.

I capture me opening the file t.xlsx in the _Tom Kelly folder. I capture the file being opened and the capture of that opening is clear with the create and read of the file. However at frame 114 the exact same file is opened again, even though I didn't open the file a second time. I was looking for an insight as to why this may be happening.

I see further opening and closing that SMB2 is caring out of the file and other files within the directory and understand this to be SMB2 gathering information on the file status/attributes.

I am hoping to attach the Excel spreadsheet showing the capture.

You can copy the output/images into MSPaint to get a better view of it.

Any help is greatly appreciated.

Cheers.

alt text alt text

asked 19 Oct '16, 20:58

krazynedkelly's gravatar image

krazynedkelly
11226
accept rate: 0%

edited 19 Oct '16, 22:27


One Answer:

1

Looking at the trace file from an Excel point of view is a bit, hmm, unusual and challenging.

Sometimes individual bits in the SMB or SMB2 commands offer a bit more insight, like share options, block sizes etc.

I could imagine, that your anti-virus is scanning the file before allowing Excel to open it.

Can you confirm, if you have an anti-virus that is covering this share? You might want to exclude this folder from scans, then re-run your trace. And please, don't forget to re-enable AV.

There are other possibilities:

  • Some mojo sotware tries to copy the file to a local drive for later offline access.
  • The file is being copied to the "Previous versions" graveyard.

These scenarios can be investigated with local tools like the Microsoft performance monitor.

answered 21 Oct '16, 02:43

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Cheers for the response. This is some great insight with the limited information provided. I will check to see if the anti virus software is performing the scan. Is there a way to upload the actual packet capture, I didn't see any button for such attachments. Once again thanks for the great response.

(25 Oct '16, 23:07) krazynedkelly

You can upload the either to cloudshark or some other public accessible place like Dropbox or google drive.

(25 Oct '16, 23:32) Christian_R